{"openapi":"3.0.3","info":{"contact":{"name":"Kibana Team"},"description":"The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects.\nThe API calls are stateless.\nEach request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the\nrequest.\nAPI requests return JSON output, which is a format that is machine-readable and works well for automation.\n\nTo interact with Kibana APIs, use the following operations:\n\n- GET: Fetches the information.\n- PATCH: Applies partial modifications to the existing information.\n- POST: Adds new information.\n- PUT: Updates the existing information.\n- DELETE: Removes the information.\n\nYou can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**.\nFor example:\n\n```\nGET kbn:/api/data_views\n```\n\nFor more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console).\n\nNOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.\n\n## Documentation source and versions\n\nThis documentation is derived from the `9.3` branch of the [kibana](https://github.com/elastic/kibana) repository.\nIt is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/).\n\nThis documentation contains work-in-progress information for future Elastic Stack releases.\n","title":"Kibana APIs","version":"","x-doc-license":{"name":"Attribution-NonCommercial-NoDerivatives 4.0 International","url":"https://creativecommons.org/licenses/by-nc-nd/4.0/"},"x-feedbackLink":{"label":"Feedback","url":"https://github.com/elastic/docs-content/issues/new?assignees=\u0026labels=feedback%2Ccommunity\u0026projects=\u0026template=api-feedback.yaml\u0026title=%5BFeedback%5D%3A+"}},"servers":[{"url":"https://{kibana_url}","variables":{"kibana_url":{"default":"localhost:5601"}}}],"security":[{"apiKeyAuth":[]},{"basicAuth":[]}],"tags":[{"name":"agent builder","description":"Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data.\nMost users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs.\n**Elastic Agent Builder requires an Enterprise subscription.**\n","externalDocs":{"description":"Agent Builder docs","url":"https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access"},"x-displayName":"Agent Builder"},{"name":"alerting","description":"Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.\n","externalDocs":{"description":"Alerting documentation","url":"https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts"},"x-displayName":"Alerting"},{"description":"Adjust APM agent configuration without need to redeploy your application.\n","name":"APM agent configuration"},{"description":"Configure APM agent keys to authorize requests from APM agents to the APM Server.\n","name":"APM agent keys"},{"description":"Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.\n","name":"APM annotations"},{"description":"Create APM fleet server schema.","name":"APM server schema"},{"description":"Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application.\nFor best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.\n","name":"APM sourcemaps"},{"description":"Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.\n","name":"cases","externalDocs":{"description":"Cases documentation","url":"https://www.elastic.co/docs/explore-analyze/alerts-cases/cases"},"x-displayName":"Cases"},{"name":"connectors","description":"Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.\n","externalDocs":{"description":"Connector documentation","url":"https://www.elastic.co/docs/reference/kibana/connectors-kibana"},"x-displayName":"Connectors"},{"name":"Data streams","description":"Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data.\n","x-displayName":"Data streams"},{"description":"Data view APIs enable you to manage data views, formerly known as Kibana index patterns.","name":"data views","x-displayName":"Data views"},{"name":"Elastic Agent actions","description":"Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management.\n","x-displayName":"Elastic Agent actions"},{"name":"Elastic Agent binary download sources","description":"Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries.\n","x-displayName":"Elastic Agent binary download sources"},{"name":"Elastic Agent policies","description":"Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information.\n","x-displayName":"Elastic Agent policies"},{"name":"Elastic Agent status","description":"Enables you to retrieve status information about Elastic Agents, including health summaries and operational status.\n","x-displayName":"Elastic Agent status"},{"name":"Elastic Agents","description":"Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup.\n","x-displayName":"Elastic Agents"},{"name":"Elastic Package Manager (EPM)","description":"Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets.\n","x-displayName":"Elastic Package Manager (EPM)"},{"name":"Fleet agentless policies"},{"name":"Fleet cloud connectors","description":"Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations.\n","x-displayName":"Fleet cloud connectors"},{"name":"Fleet enrollment API keys","description":"Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment.\n","x-displayName":"Fleet enrollment API keys"},{"name":"Fleet internals","description":"Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup.\n","x-displayName":"Fleet internals"},{"name":"Fleet outputs","description":"Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health.\n","x-displayName":"Fleet outputs"},{"name":"Fleet package policies","description":"Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades.\n","x-displayName":"Fleet package policies"},{"name":"Fleet proxies","description":"Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication.\n","x-displayName":"Fleet proxies"},{"name":"Fleet remote synced integrations","description":"Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster:\n* Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output.\n* Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations.\n","externalDocs":{"description":"Automatic integrations synchronization documentation","url":"https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization"}},{"name":"Fleet Server hosts","description":"Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations.\n","x-displayName":"Fleet Server hosts"},{"name":"Fleet service tokens","description":"Enables you to create tokens for Fleet service authentication and authorization.\n","x-displayName":"Fleet service tokens"},{"name":"Fleet uninstall tokens","description":"Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation.\n","x-displayName":"Fleet uninstall tokens"},{"description":"Programmatically integrate with Logstash configuration management.\n\u003e warn\n\u003e Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs.\n","externalDocs":{"description":"Centralized pipeline management","url":"https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management"},"name":"logstash","x-displayName":"Logstash configuration management"},{"name":"maintenance-window","description":"You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages.\n","externalDocs":{"description":"Maintenance window documentation","url":"https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows"},"x-displayName":"Maintenance windows"},{"name":"Message Signing Service","description":"Enables you to rotate message signing key pairs for secure Fleet communication.\n","x-displayName":"Fleet Message Signing Service"},{"description":"Enables you to synchronize machine learning saved objects.\n","name":"ml","x-displayName":"Machine learning"},{"description":"Interact with the Observability AI Assistant resources.","externalDocs":{"description":"Observability AI Assistant","url":"https://www.elastic.co/docs/solutions/observability/observability-ai-assistant"},"name":"observability_ai_assistant","x-displayName":"Observability AI Assistant"},{"name":"roles","x-displayName":"Roles","description":"Manage the roles that grant Elasticsearch and Kibana privileges.","externalDocs":{"description":"Kibana role management","url":"https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles"}},{"name":"saved objects","x-displayName":"Saved objects","description":"Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.\n\nTo manage a specific type of saved object, use the corresponding APIs.\nFor example, use:\n\n* [Data views](../group/endpoint-data-views)\n* [Spaces](../group/endpoint-spaces)\n* [Short URLs](../group/endpoint-short-url)\n\nWarning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions.\n"},{"description":"Manage and interact with Security Assistant resources.","name":"Security AI Assistant API","x-displayName":"Security AI assistant"},{"description":"Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each \"discovery\" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT\u0026CK matrix, and which threat actor might be responsible.","name":"Security Attack discovery API","x-displayName":"Security Attack discovery"},{"description":"Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.\n\nThis API supports both key-based authentication and basic authentication.\n\nTo use key-based authentication, create an API key, then specify the key in the header of your API calls.\n\nTo use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.\n\nIn both cases, the API key is subsequently used for authorization when the rule runs.\n\u003e warn\n\u003e If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.\n\n\u003e If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.\n\nTo create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements.\n","name":"Security Detections API","x-displayName":"Security detections"},{"description":"Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.","name":"Security Endpoint Exceptions API","x-displayName":"Security Elastic Endpoint exceptions"},{"description":"Interact with and manage endpoints running the Elastic Defend integration.","name":"Security Endpoint Management API","x-displayName":"Security endpoint management"},{"description":"Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines.\n","name":"Security Entity Analytics API","x-displayName":"Security entity analytics"},{"description":"Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.\n\nExceptions are made up of:\n\n* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.\n* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.\n\nFor detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.\n\u003e info\n\u003e You cannot use lists with endpoint rule exceptions.\n\n\u003e info\n\u003e Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.\n\n## Exceptions requirements\n\nBefore you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui).\n","name":"Security Exceptions API","x-displayName":"Security exceptions"},{"description":"Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.\n\nLists are made up of:\n\n* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:\n    * `boolean`\n    * `byte`\n    * `date`\n    * `date_nanos`\n    * `date_range`\n    * `double`\n    * `double_range`\n    * `float`\n    * `float_range`\n    * `half_float`\n    * `integer`\n    * `integer_range`\n    * `ip`\n    * `ip_range`\n    * `keyword`\n    * `long`\n    * `long_range`\n    * `short`\n    * `text`\n* **List items**: The values used to determine whether the exception prevents an alert from being generated.\n\nAll list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:\n1. `192.168.1.1`\n2. `192.168.1.3`\n3. `192.168.1.18`\n4. `192.168.1.12`\n5. `192.168.1.7`\n\nTo use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list.\n\u003e info\n\u003e Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object.\n\n## Lists requirements\n\nBefore you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements.\n","name":"Security Lists API","x-displayName":"Security lists"},{"description":"Run live queries, manage packs and saved queries.","name":"Security Osquery API","x-displayName":"Security Osquery"},{"description":"You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.","name":"Security Timeline API","x-displayName":"Security timeline"},{"description":"Manage Kibana short URLs.","name":"short url","x-displayName":"Short URLs"},{"description":"SLO APIs enable you to define, manage and track service-level objectives","name":"slo","x-displayName":"Service level objectives"},{"name":"spaces","x-displayName":"Spaces","description":"Manage your Kibana spaces.","externalDocs":{"url":"https://www.elastic.co/docs/deploy-manage/manage-spaces","description":"Space overview"}},{"name":"streams","description":"Streams is a new and experimental way to manage your data in Kibana (currently experimental - expect changes).\n","x-displayName":"Streams"},{"name":"synthetics","x-displayName":"Synthetics","description":"Synthetics APIs enable you to check the status of your services and applications.","externalDocs":{"description":"Synthetic monitoring","url":"https://www.elastic.co/docs/solutions/observability/synthetics"}},{"name":"system","x-displayName":"System","description":"Get information about the system status, resource usage, features, and installed plugins.\n"},{"description":"Get information about the system status, resource usage, features, and installed plugins.\n","name":"system","x-displayName":"System"},{"description":"Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks.","externalDocs":{"description":"Task manager","url":"https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management"},"name":"task manager","x-displayName":"Task manager"},{"description":"The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release.\n\u003e warn\n\u003e This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL:\n\u003e * Self-managed URL pattern: `https://localhost:5601`\n\u003e * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243`\n","name":"upgrade","x-displayName":"Upgrade assistant"},{"description":"Uptime APIs enable you to view and update uptime monitoring settings.","externalDocs":{"description":"Uptime monitoring","url":"https://www.elastic.co/docs/solutions/observability/uptime"},"name":"uptime","x-displayName":"Uptime"},{"name":"user session","x-displayName":"User session management","description":"Enables you to invalidate user sessions for security and session management purposes.\n"}],"paths":{"/api/actions/connector_types":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector_types\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou do not need any Kibana feature privileges to run this API.","operationId":"get-actions-connector-types","parameters":[{"description":"A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).","in":"query","name":"feature_id","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_multiple_system_actions":{"description":"Indicates whether multiple instances of the same system action connector can be used in a single rule.","type":"boolean"},"enabled":{"description":"Indicates whether the connector is enabled.","type":"boolean"},"enabled_in_config":{"description":"Indicates whether the connector is enabled in the Kibana configuration.","type":"boolean"},"enabled_in_license":{"description":"Indicates whether the connector is enabled through the license.","type":"boolean"},"id":{"description":"The identifier for the connector.","type":"string"},"is_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_system_action_type":{"description":"Indicates whether the action is a system action.","type":"boolean"},"minimum_license_required":{"description":"The minimum license required to enable the connector.","enum":["basic","standard","gold","platinum","enterprise","trial"],"type":"string"},"name":{"description":"The name of the connector type.","type":"string"},"source":{"description":"The source of the connector type definition.","enum":["yml","spec","stack"],"type":"string"},"sub_feature":{"description":"Indicates the sub-feature type the connector is grouped under.","enum":["endpointSecurity"],"type":"string"},"supported_feature_ids":{"description":"The list of supported features","items":{"type":"string"},"type":"array"}},"required":["id","name","enabled","enabled_in_config","enabled_in_license","minimum_license_required","supported_feature_ids","is_system_action_type","is_deprecated","source"]},"type":"array"},"examples":{"getConnectorTypesServerlessResponse":{"$ref":"#/components/examples/get_connector_types_generativeai_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get connector types","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/actions/connector/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nWARNING: When you delete a connector, it cannot be recovered.","operationId":"delete-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Delete a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"get-actions-connector-id","parameters":[{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"getConnectorResponse":{"$ref":"#/components/examples/get_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get connector information","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"post-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"connector_type_id":{"description":"The type of connector.","type":"string"},"name":{"description":"The display name for the connector.","type":"string"},"config":{"additionalProperties":{},"default":{},"description":"The connector configuration details.","oneOf":[{"$ref":"#/components/schemas/bedrock_config"},{"$ref":"#/components/schemas/crowdstrike_config"},{"$ref":"#/components/schemas/d3security_config"},{"$ref":"#/components/schemas/email_config"},{"$ref":"#/components/schemas/gemini_config"},{"$ref":"#/components/schemas/resilient_config"},{"$ref":"#/components/schemas/index_config"},{"$ref":"#/components/schemas/jira_config"},{"$ref":"#/components/schemas/genai_azure_config"},{"$ref":"#/components/schemas/genai_openai_config"},{"$ref":"#/components/schemas/genai_openai_other_config"},{"$ref":"#/components/schemas/opsgenie_config"},{"$ref":"#/components/schemas/pagerduty_config"},{"$ref":"#/components/schemas/sentinelone_config"},{"$ref":"#/components/schemas/servicenow_config"},{"$ref":"#/components/schemas/servicenow_itom_config"},{"$ref":"#/components/schemas/slack_api_config"},{"$ref":"#/components/schemas/swimlane_config"},{"$ref":"#/components/schemas/thehive_config"},{"$ref":"#/components/schemas/tines_config"},{"$ref":"#/components/schemas/torq_config"},{"$ref":"#/components/schemas/webhook_config"},{"$ref":"#/components/schemas/cases_webhook_config"},{"$ref":"#/components/schemas/xmatters_config"}]},"secrets":{"additionalProperties":{},"default":{},"oneOf":[{"$ref":"#/components/schemas/bedrock_secrets"},{"$ref":"#/components/schemas/crowdstrike_secrets"},{"$ref":"#/components/schemas/d3security_secrets"},{"$ref":"#/components/schemas/email_secrets"},{"$ref":"#/components/schemas/gemini_secrets"},{"$ref":"#/components/schemas/resilient_secrets"},{"$ref":"#/components/schemas/jira_secrets"},{"$ref":"#/components/schemas/defender_secrets"},{"$ref":"#/components/schemas/teams_secrets"},{"$ref":"#/components/schemas/genai_secrets"},{"$ref":"#/components/schemas/opsgenie_secrets"},{"$ref":"#/components/schemas/pagerduty_secrets"},{"$ref":"#/components/schemas/sentinelone_secrets"},{"$ref":"#/components/schemas/servicenow_secrets"},{"$ref":"#/components/schemas/slack_api_secrets"},{"$ref":"#/components/schemas/swimlane_secrets"},{"$ref":"#/components/schemas/thehive_secrets"},{"$ref":"#/components/schemas/tines_secrets"},{"$ref":"#/components/schemas/torq_secrets"},{"$ref":"#/components/schemas/webhook_secrets"},{"$ref":"#/components/schemas/cases_webhook_secrets"},{"$ref":"#/components/schemas/xmatters_secrets"}]}},"required":["name","connector_type_id"]},"examples":{"createEmailConnectorRequest":{"$ref":"#/components/examples/create_email_connector_request"},"createIndexConnectorRequest":{"$ref":"#/components/examples/create_index_connector_request"},"createWebhookConnectorRequest":{"$ref":"#/components/examples/create_webhook_connector_request"},"createXmattersConnectorRequest":{"$ref":"#/components/examples/create_xmatters_connector_request"}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"createEmailConnectorResponse":{"$ref":"#/components/examples/create_email_connector_response"},"createIndexConnectorResponse":{"$ref":"#/components/examples/create_index_connector_response"},"createWebhookConnectorResponse":{"$ref":"#/components/examples/create_webhook_connector_response"},"createXmattersConnectorResponse":{"$ref":"#/components/examples/get_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Create a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"operationId":"put-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The display name for the connector.","type":"string"},"config":{"additionalProperties":{},"default":{},"description":"The connector configuration details.","oneOf":[{"$ref":"#/components/schemas/bedrock_config"},{"$ref":"#/components/schemas/crowdstrike_config"},{"$ref":"#/components/schemas/d3security_config"},{"$ref":"#/components/schemas/email_config"},{"$ref":"#/components/schemas/gemini_config"},{"$ref":"#/components/schemas/resilient_config"},{"$ref":"#/components/schemas/index_config"},{"$ref":"#/components/schemas/jira_config"},{"$ref":"#/components/schemas/defender_config"},{"$ref":"#/components/schemas/genai_azure_config"},{"$ref":"#/components/schemas/genai_openai_config"},{"$ref":"#/components/schemas/opsgenie_config"},{"$ref":"#/components/schemas/pagerduty_config"},{"$ref":"#/components/schemas/sentinelone_config"},{"$ref":"#/components/schemas/servicenow_config"},{"$ref":"#/components/schemas/servicenow_itom_config"},{"$ref":"#/components/schemas/slack_api_config"},{"$ref":"#/components/schemas/swimlane_config"},{"$ref":"#/components/schemas/thehive_config"},{"$ref":"#/components/schemas/tines_config"},{"$ref":"#/components/schemas/torq_config"},{"$ref":"#/components/schemas/webhook_config"},{"$ref":"#/components/schemas/cases_webhook_config"},{"$ref":"#/components/schemas/xmatters_config"}]},"secrets":{"additionalProperties":{},"default":{},"oneOf":[{"$ref":"#/components/schemas/bedrock_secrets"},{"$ref":"#/components/schemas/crowdstrike_secrets"},{"$ref":"#/components/schemas/d3security_secrets"},{"$ref":"#/components/schemas/email_secrets"},{"$ref":"#/components/schemas/gemini_secrets"},{"$ref":"#/components/schemas/resilient_secrets"},{"$ref":"#/components/schemas/jira_secrets"},{"$ref":"#/components/schemas/teams_secrets"},{"$ref":"#/components/schemas/genai_secrets"},{"$ref":"#/components/schemas/opsgenie_secrets"},{"$ref":"#/components/schemas/pagerduty_secrets"},{"$ref":"#/components/schemas/sentinelone_secrets"},{"$ref":"#/components/schemas/servicenow_secrets"},{"$ref":"#/components/schemas/slack_api_secrets"},{"$ref":"#/components/schemas/swimlane_secrets"},{"$ref":"#/components/schemas/thehive_secrets"},{"$ref":"#/components/schemas/tines_secrets"},{"$ref":"#/components/schemas/torq_secrets"},{"$ref":"#/components/schemas/webhook_secrets"},{"$ref":"#/components/schemas/cases_webhook_secrets"},{"$ref":"#/components/schemas/xmatters_secrets"}]}},"required":["name"]},"examples":{"updateIndexConnectorRequest":{"$ref":"#/components/examples/update_index_connector_request"}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Update a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/actions/connector/{id}/_execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connector/{id}/_execute\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.","operationId":"post-actions-connector-id-execute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"params":{"additionalProperties":{},"oneOf":[{"$ref":"#/components/schemas/run_acknowledge_resolve_pagerduty"},{"$ref":"#/components/schemas/run_documents"},{"$ref":"#/components/schemas/run_message_email"},{"$ref":"#/components/schemas/run_message_serverlog"},{"$ref":"#/components/schemas/run_message_slack"},{"$ref":"#/components/schemas/run_trigger_pagerduty"},{"$ref":"#/components/schemas/run_addevent"},{"$ref":"#/components/schemas/run_closealert"},{"$ref":"#/components/schemas/run_closeincident"},{"$ref":"#/components/schemas/run_createalert"},{"$ref":"#/components/schemas/run_fieldsbyissuetype"},{"$ref":"#/components/schemas/run_getagentdetails"},{"$ref":"#/components/schemas/run_getagents"},{"$ref":"#/components/schemas/run_getchoices"},{"$ref":"#/components/schemas/run_getfields"},{"$ref":"#/components/schemas/run_getincident"},{"$ref":"#/components/schemas/run_issue"},{"$ref":"#/components/schemas/run_issues"},{"$ref":"#/components/schemas/run_issuetypes"},{"$ref":"#/components/schemas/run_postmessage"},{"$ref":"#/components/schemas/run_pushtoservice"},{"$ref":"#/components/schemas/run_validchannelid"}]}},"required":["params"]},"examples":{"runIndexConnectorRequest":{"$ref":"#/components/examples/run_index_connector_request"},"runJiraConnectorRequest":{"$ref":"#/components/examples/run_jira_connector_request"},"runServerLogConnectorRequest":{"$ref":"#/components/examples/run_servicenow_itom_connector_request"},"runSlackConnectorRequest":{"$ref":"#/components/examples/run_slack_api_connector_request"},"runSwimlaneConnectorRequest":{"$ref":"#/components/examples/run_swimlane_connector_request"}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"runIndexConnectorResponse":{"$ref":"#/components/examples/run_index_connector_response"},"runJiraConnectorResponse":{"$ref":"#/components/examples/run_jira_connector_response"},"runServerLogConnectorResponse":{"$ref":"#/components/examples/run_server_log_connector_response"},"runServiceNowITOMConnectorResponse":{"$ref":"#/components/examples/run_servicenow_itom_connector_response"},"runSlackConnectorResponse":{"$ref":"#/components/examples/run_slack_api_connector_response"},"runSwimlaneConnectorResponse":{"$ref":"#/components/examples/run_swimlane_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Run a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/actions/connectors":{"get":{"operationId":"get-actions-connectors","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"},"referenced_by_count":{"description":"The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated.","type":"number"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated","referenced_by_count"]},"type":"array"},"examples":{"getConnectorsResponse":{"$ref":"#/components/examples/get_connectors_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get all connectors","tags":["connectors"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/actions/connectors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/agent_builder/a2a/{agentId}":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/a2a/{agentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n\u003e warn\n\u003e This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"post-agent-builder-a2a-agentid","parameters":[{"description":"The unique identifier of the agent to send the A2A task to.","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"a2aTaskRequestExample":{"description":"WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.","value":{"id":"task-123","jsonrpc":"2.0","method":"complete","params":{"messages":[{"content":"Hello from A2A protocol","role":"user"}]}}}},"schema":{}}}},"responses":{"200":{"content":{"application/json":{"examples":{"a2aTaskResponseExample":{"description":"Example response from A2A Task Endpoint with results of task execution","value":{"id":"task-123","jsonrpc":"2.0","result":{"conversation_id":"conv-456","response":{"message":"Hello! How can I help you today?"},"type":"response"}}}}}},"description":"Indicates a successful response"}},"summary":"Send A2A task","tags":["agent builder"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/a2a/{agentId}.json":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/a2a/{agentId}.json\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-a2a-agentid.json","parameters":[{"description":"The unique identifier of the agent to get A2A metadata for.","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"a2aAgentCardResponseExample":{"description":"Example response card of Elastic AI Agent","value":{"capabilities":{"pushNotifications":false,"stateTransitionHistory":false,"streaming":false},"defaultInputModes":["text/plain"],"defaultOutputModes":["text/plain"],"description":"Elastic AI Agent","name":"Elastic AI Agent","protocolVersion":"0.3.0","provider":{"organization":"Elastic","url":"https://elastic.co"},"securitySchemes":{"authorization":{"description":"Authentication token","in":"header","name":"Authorization","type":"apiKey"}},"skills":[{"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.","examples":[],"id":"platform.core.search","inputModes":["text/plain","application/json"],"name":"platform.core.search","outputModes":["text/plain","application/json"],"tags":["tool"]}],"supportsAuthenticatedExtendedCard":false,"url":"http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent","version":"0.1.0"}}}}},"description":"Indicates a successful response"}},"summary":"Get A2A agent card","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn://api/agent_builder/a2a/{agentId}.json\n"}],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/agents":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/agents\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-agents","parameters":[],"responses":{"200":{"content":{"application/json":{"examples":{"listAgentsResponseExample":{"description":"Example response that returns one built-in Elastic agent and one created by the user","value":{"results":[{"configuration":{"tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Elastic AI Agent","id":"elastic-ai-agent","name":"Elastic AI Agent","type":"chat"},{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}]}}}}},"description":"Indicates a successful response"}},"summary":"List agents","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}/api/agent_builder/agents\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn://api/agent_builder/agents\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/agents\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"post-agent-builder-agents","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"createAgentRequestExample":{"description":"Example request for creating a custom agent with special prompt and tools","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"avatar_color":{"description":"Optional hex color code for the agent avatar.","type":"string"},"avatar_symbol":{"description":"Optional symbol/initials for the agent avatar.","type":"string"},"configuration":{"additionalProperties":false,"description":"Configuration settings for the agent.","type":"object","properties":{"instructions":{"description":"Optional system instructions that define the agent behavior.","type":"string"},"tools":{"items":{"additionalProperties":false,"description":"Tool selection configuration for the agent.","type":"object","properties":{"tool_ids":{"description":"Array of tool IDs that the agent can use.","items":{"description":"Tool ID to be available to the agent.","type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"}},"required":["tools"]},"description":{"description":"Description of what the agent does.","type":"string"},"id":{"description":"Unique identifier for the agent.","type":"string"},"labels":{"description":"Optional labels for categorizing and organizing agents.","items":{"description":"Label for categorizing the agent.","type":"string"},"type":"array"},"name":{"description":"Display name for the agent.","type":"string"}},"required":["id","name","description","configuration"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"createAgentResponseExample":{"description":"Example response returning the definition of an agent created as a result of the request","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Create an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X POST \"${KIBANA_URL}/api/agent_builder/agents\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"id\": \"new-agent-id\",\n    \"name\": \"Search Index Helper\",\n    \"description\": \"Hi! I can help you search the data within the indices starting with \\\"content-\\\" prefix.\",\n    \"labels\": [\"custom-indices\", \"department-search\"],\n    \"avatar_color\": \"#BFDBFF\",\n    \"avatar_symbol\": \"SI\",\n    \"configuration\": {\n      \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n      \"tools\": [\n        {\n          \"tool_ids\": [\n            \"platform.core.search\",\n            \"platform.core.list_indices\",\n            \"platform.core.get_index_mapping\",\n            \"platform.core.get_document_by_id\"\n          ]\n        }\n      ]\n    }\n}'\n"},{"lang":"Console","source":"POST kbn://api/agent_builder/agents\n{\n  \"id\": \"new-agent-id\",\n  \"name\": \"Search Index Helper\",\n  \"description\": \"Hi! I can help you search the data within the indices starting with \\\"content-\\\" prefix.\",\n  \"labels\": [\"custom-indices\", \"department-search\"],\n  \"avatar_color\": \"#BFDBFF\",\n  \"avatar_symbol\": \"SI\",\n  \"configuration\": {\n    \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n    \"tools\": [\n      {\n        \"tool_ids\": [\n          \"platform.core.search\",\n          \"platform.core.list_indices\",\n          \"platform.core.get_index_mapping\",\n          \"platform.core.get_document_by_id\"\n        ]\n      }\n    ]\n  }\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/agents/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/agents/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"delete-agent-builder-agents-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the agent to delete.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"deleteAgentResponseExample":{"description":"Example response showing that deletion of the agent has been successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X DELETE \"${KIBANA_URL}/api/agent_builder/agents/{id}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn://api/agent_builder/agents/{id}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/agents/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-agents-id","parameters":[{"description":"The unique identifier of the agent to retrieve.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getAgentByIdResponseExample":{"description":"Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions.","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Get an agent by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"${KIBANA_URL}/api/agent_builder/agents/{id}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn://api/agent_builder/agents/{id}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/agents/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"put-agent-builder-agents-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the agent to update.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"createAgentRequestExample":{"description":"Example request for updating custom agent","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Updated description - Search for anything in \"content-*\" indices!","id":"created-agent-id","labels":["custom-indices","department-search","elastic-employees"],"name":"Search Index Helper"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"avatar_color":{"description":"Updated hex color code for the agent avatar.","type":"string"},"avatar_symbol":{"description":"Updated symbol/initials for the agent avatar.","type":"string"},"configuration":{"additionalProperties":false,"description":"Updated configuration settings for the agent.","type":"object","properties":{"instructions":{"description":"Updated system instructions that define the agent behavior.","type":"string"},"tools":{"items":{"additionalProperties":false,"description":"Tool selection configuration for the agent.","type":"object","properties":{"tool_ids":{"description":"Array of tool IDs that the agent can use.","items":{"description":"Tool ID to be available to the agent.","type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"}}},"description":{"description":"Updated description of what the agent does.","type":"string"},"labels":{"description":"Updated labels for categorizing and organizing agents.","items":{"description":"Updated label for categorizing the agent.","type":"string"},"type":"array"},"name":{"description":"Updated display name for the agent.","type":"string"}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"updateAgentResponseExample":{"description":"Example response returning the agent definition with the changes applied from the request","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Updated description - Search for anything in \"content-*\" indices!","id":"created-agent-id","labels":["custom-indices","department-search","elastic-employees"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Update an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X PUT \"${KIBANA_URL}/api/agent_builder/agents/{id}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"name\": \"Search Index Helper\",\n    \"description\": \"Updated description - Search for anything in \\\"content-*\\\" indices!\",\n    \"labels\": [\"custom-indices\", \"department-search\", \"elastic-employees\"],\n    \"avatar_color\": \"#BFDBFF\",\n    \"avatar_symbol\": \"SI\",\n    \"configuration\": {\n      \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n      \"tools\": [{\n        \"tool_ids\": [\n          \"platform.core.search\",\n          \"platform.core.list_indices\",\n          \"platform.core.get_index_mapping\",\n          \"platform.core.get_document_by_id\"\n        ]\n      }]\n    }\n  }'\n"},{"lang":"Console","source":"PUT kbn://api/agent_builder/agents/{id}\n{\n  \"name\": \"Search Index Helper\",\n  \"description\": \"Updated description - Search for anything in \\\"content-*\\\" indices!\",\n  \"labels\": [\"custom-indices\", \"department-search\", \"elastic-employees\"],\n  \"avatar_color\": \"#BFDBFF\",\n  \"avatar_symbol\": \"SI\",\n  \"configuration\": {\n    \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n    \"tools\": [{\n      \"tool_ids\": [\n        \"platform.core.search\",\n        \"platform.core.list_indices\",\n        \"platform.core.get_index_mapping\",\n        \"platform.core.get_document_by_id\"\n      ]\n    }]\n  }\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/conversations":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/conversations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-conversations","parameters":[{"description":"Optional agent ID to filter conversations by a specific agent.","in":"query","name":"agent_id","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"listConversationsResponseExample":{"description":"Example response containing the list of conversations with all agents","value":{"results":[{"agent_id":"elastic-ai-agent","created_at":"2025-09-19T17:45:39.554Z","id":"bcc176c5-38f6-40be-be0c-898e34fa1480","title":"General Greeting","updated_at":"2025-09-19T17:45:39.554Z","user":{"username":"elastic"}}]}}}}},"description":"Indicates a successful response"}},"summary":"List conversations","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"${KIBANA_URL}/api/agent_builder/conversations\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn://api/agent_builder/conversations\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/conversations/{conversation_id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/conversations/{conversation_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a conversation by ID. This action cannot be undone.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"delete-agent-builder-conversations-conversation-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation to delete.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"deleteConversationResponseExample":{"description":"Example response showing that deletion of conversation has been successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete conversation by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X DELETE \"${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn://api/agent_builder/conversations/{conversation_id}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/conversations/{conversation_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-conversations-conversation-id","parameters":[{"description":"The unique identifier of the conversation to retrieve.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getConversationByIdResponseExample":{"description":"Example response containing the contents of a convesation with the chat agent","value":{"agent_id":"elastic-ai-agent","created_at":"2025-09-19T17:45:39.554Z","id":"bcc176c5-38f6-40be-be0c-898e34fa1480","rounds":[{"id":"170ec3b2-0f5a-4538-8b60-549572386d2a","input":{"message":"Hello, how are you?"},"response":{"message":"Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools.\n\nHello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today?"},"steps":[]}],"title":"General Greeting","updated_at":"2025-09-19T17:45:39.554Z","user":{"username":"elastic"}}}}}},"description":"Indicates a successful response"}},"summary":"Get conversation by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn://api/agent_builder/conversations/{conversation_id}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/converse":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/converse\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSend a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"post-agent-builder-converse","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"converseRequestExample":{"description":"Example request to send a message to the agent as a part of the conversation","value":{"agent_id":"elastic-ai-agent","connector_id":"my-connector-id","input":"What is Elasticsearch?"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agent_id":{"default":"elastic-ai-agent","description":"The ID of the agent to chat with. Defaults to the default Elastic AI agent.","type":"string"},"attachments":{"description":"**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.","items":{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":{},"description":"Payload of the attachment.","type":"object"},"hidden":{"description":"When true, the attachment will not be displayed in the UI.","type":"boolean"},"id":{"description":"Optional id for the attachment.","type":"string"},"type":{"description":"Type of the attachment.","type":"string"}},"required":["type","data"]},"type":"array"},"browser_api_tools":{"description":"Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.","items":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"Description of what the browser API tool does.","type":"string"},"id":{"description":"Unique identifier for the browser API tool.","type":"string"},"schema":{}},"required":["id","description","schema"]},"type":"array"},"capabilities":{"additionalProperties":false,"description":"Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.","type":"object","properties":{"visualizations":{"description":"When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.","type":"boolean"}}},"connector_id":{"description":"Optional connector ID for the agent to use for external integrations.","type":"string"},"conversation_id":{"description":"Optional existing conversation ID to continue a previous conversation.","type":"string"},"input":{"description":"The user input message to send to the agent.","type":"string"}},"required":["input"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"converseResponseExample":{"description":"Example response containing the chain of events representing a conversation with the agent","value":{"conversation_id":"696ccd6d-4bff-4b26-a62e-522ccf2dcd16","response":{"message":"Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease."},"steps":[{"reasoning":"Searching for official documentation or content that explains what Elasticsearch is","type":"reasoning"},{"params":{"query":"what is elasticsearch definition overview introduction"},"progression":[{"message":"Selecting the best target for this query"}],"results":[{"data":{"message":"Could not figure out which index to use"},"type":"error"}],"tool_call_id":"tooluse_shOdUwKIRwC9YhqGzeg0cQ","tool_id":"platform.core.search","type":"tool_call"}]}}}}},"description":"Indicates a successful response"}},"summary":"Send chat message","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X POST \"${KIBANA_URL}/api/agent_builder/converse\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"input\": \"What is Elasticsearch?\",\n    \"agent_id\": \"elastic-ai-agent\"}'\n"},{"lang":"Console","source":"POST kbn://api/agent_builder/converse\n{\n  \"input\": \"What is Elasticsearch?\",\n  \"agent_id\": \"elastic-ai-agent\"\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/converse/async":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/converse/async\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSend a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process.\n\n## Event types\n\nThe endpoint emits Server-Sent Events (SSE) with the following custom event types:\n\n`conversation_id_set`\n\nSets the conversation ID.\n\nSchema:\n```json\n{\n  \"conversation_id\": \"uuid\"\n}\n```\n\n---\n\n`conversation_created`\n\nFires when a new conversation is persisted and assigned an ID.\n\nSchema:\n```json\n{\n  \"conversation_id\": \"uuid\",\n  \"title\": \"conversation title\"\n}\n```\n\n---\n\n`conversation_updated`\n\nFires when a conversation is updated.\n\nSchema:\n```json\n{\n  \"conversation_id\": \"uuid\",\n  \"title\": \"updated conversation title\"\n}\n```\n\n---\n\n`reasoning`\n\nHandles reasoning-related data.\n\nSchema:\n```json\n{\n  \"reasoning\": \"plain text reasoning content\",\n  \"transient\": false\n}\n```\n\n---\n\n`tool_call`\n\nTriggers when a tool is invoked.\n\nSchema:\n```json\n{\n  \"tool_call_id\": \"uuid\",\n  \"tool_id\": \"tool_name\",\n  \"params\": {}\n}\n```\n\n---\n\n`tool_progress`\n\nReports progress of a running tool.\n\nSchema:\n```json\n{\n  \"tool_call_id\": \"uuid\",\n  \"message\": \"progress message\"\n}\n```\n\n---\n\n`tool_result`\n\nReturns results from a completed tool call.\n\nSchema:\n```json\n{\n  \"tool_call_id\": \"uuid\",\n  \"tool_id\": \"tool_name\",\n  \"results\": []\n}\n```\n\n**Note:** `results` is an array of `ToolResult` objects.\n\n---\n\n`message_chunk`\n\nStreams partial text chunks.\n\nSchema:\n```json\n{\n  \"message_id\": \"uuid\",\n  \"text_chunk\": \"partial text\"\n}\n```\n\n---\n\n`message_complete`\n\nIndicates message stream is finished.\n\nSchema:\n```json\n{\n  \"message_id\": \"uuid\",\n  \"message_content\": \"full text content of the message\"\n}\n```\n\n---\n\n`thinking_complete`\n\nMarks the end of the thinking/reasoning phase.\n\nSchema:\n```json\n{\n  \"time_to_first_token\": 0\n}\n```\n\n**Note:** `time_to_first_token` is in milliseconds.\n\n---\n\n`round_complete`\n\nMarks end of one conversation round.\n\nSchema:\n```json\n{\n  \"round\": {}\n}\n```\n\n**Note:** `round` contains the full round json object.\n\n---\n\n## Event flow\n\nA typical conversation round emits events in this sequence:\n\n1. `reasoning` (potentially multiple, some transient)\n2. `tool_call` (if tools are used)\n3. `tool_progress` (zero or more progress updates)\n4. `tool_result` (when tool completes)\n5. `thinking_complete`\n6. `message_chunk` (multiple, as text streams)\n7. `message_complete`\n8. `round_complete`\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"post-agent-builder-converse-async","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"converseAsyncRequestExample":{"description":"Example request to send a message to the agent as a part of the conversation","value":{"agent_id":"elastic-ai-agent","conversation_id":"c250305b-1929-4248-b568-b9e3f065fda5","input":"Hello"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agent_id":{"default":"elastic-ai-agent","description":"The ID of the agent to chat with. Defaults to the default Elastic AI agent.","type":"string"},"attachments":{"description":"**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.","items":{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":{},"description":"Payload of the attachment.","type":"object"},"hidden":{"description":"When true, the attachment will not be displayed in the UI.","type":"boolean"},"id":{"description":"Optional id for the attachment.","type":"string"},"type":{"description":"Type of the attachment.","type":"string"}},"required":["type","data"]},"type":"array"},"browser_api_tools":{"description":"Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.","items":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"Description of what the browser API tool does.","type":"string"},"id":{"description":"Unique identifier for the browser API tool.","type":"string"},"schema":{}},"required":["id","description","schema"]},"type":"array"},"capabilities":{"additionalProperties":false,"description":"Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.","type":"object","properties":{"visualizations":{"description":"When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.","type":"boolean"}}},"connector_id":{"description":"Optional connector ID for the agent to use for external integrations.","type":"string"},"conversation_id":{"description":"Optional existing conversation ID to continue a previous conversation.","type":"string"},"input":{"description":"The user input message to send to the agent.","type":"string"}},"required":["input"]}}}},"responses":{"200":{"content":{"text/event-stream":{"examples":{"converseAsyncResponseExample":{"description":"Example stream containing the chain of events representing a conversation with the agent","value":[{"data":{"data":{"conversation_id":"c250305b-1929-4248-b568-b9e3f065fda5"}},"event":"conversation_id_set"},{"data":{"data":{"reasoning":"Starting with a general search to understand what content is available."}},"event":"reasoning"},{"data":{"data":{"params":{"query":"latest documents"},"tool_call_id":"tooluse__2aJELgyRYqD8SDOKSiwtg","tool_id":"platform.core.search"}},"event":"tool_call"},{"data":{"data":{"results":[{"data":{"message":"Could not figure out which index to use"},"type":"error"}],"tool_call_id":"tooluse__2aJELgyRYqD8SDOKSiwtg"}},"event":"tool_result"},{"data":{"data":{"round":{"id":"a5692d54-bc06-4a6e-aea1-412779c73f66","input":{"message":"Hello"},"response":{"message":"Hello! How can I help you today?"}}}},"event":"round_complete"}]}}}},"description":"Indicates a successful response"}},"summary":"Send chat message (streaming)","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X POST \"${KIBANA_URL}/api/agent_builder/converse/async\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"input\": \"Hello again let us have an async chat\",\n    \"agent_id\": \"elastic-ai-agent\",\n    \"conversation_id\": \"\u003cCONVERSATION_ID\u003e\"\n  }'\n"},{"lang":"Console","source":"POST kbn://api/agent_builder/converse/async\n{\n  \"input\": \"Hello again let's have an async chat\",\n  \"agent_id\": \"elastic-ai-agent\",\n  \"conversation_id\": \"\u003cCONVERSATION_ID\u003e\"\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/mcp":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/mcp\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n\u003e warn\n\u003e This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead.\nTo learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"post-agent-builder-mcp","parameters":[],"requestBody":{"content":{"application/json":{"examples":{"mcpInitializeRequestExample":{"description":"WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.","value":{"id":1,"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{},"clientInfo":{"name":"test-client","version":"1.0.0"},"protocolVersion":"2024-11-05"}}}},"schema":{}}}},"responses":{"200":{"content":{"application/json":{"examples":{"mcpInitializeResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"id":1,"jsonrpc":"2.0","result":{"capabilities":{"tools":{"listChanged":true}},"protocolVersion":"2024-11-05","serverInfo":{"name":"elastic-mcp-server","version":"0.0.1"}}}}}}},"description":"Indicates a successful response"}},"summary":"MCP server","tags":["agent builder"],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/tools":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-tools","parameters":[],"responses":{"200":{"content":{"application/json":{"examples":{"listToolsResponseExample":{"description":"Example response returning a list of existing tools","value":{"results":[{"configuration":{},"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.\nIt supports both full-text relevance searches and structured analytical queries.\n\nUse this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.\n\nExamples of queries:\n- \"find articles about serverless architecture\"\n- \"search for support tickets mentioning 'billing issue' or 'refund request'\"\n- \"what is our policy on parental leave?\"\n- \"list all products where the category is 'electronics'\"\n- \"show me the last 5 documents from that index\"\n- \"show me the sales over the last year break down by month\"\n\nNote:\n- The 'index' parameter can be used to specify which index to search against.\n If not provided, the tool will decide itself which is the best index to use.\n- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already\n know about the index and fields you want to search on, e.g. if the user explicitly specified it.","id":"platform.core.search","readonly":true,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"index":{"description":"(optional) Index to search against. If not provided, will automatically select the best index to use based on the query.","type":"string"},"query":{"description":"A natural language query expressing the search request","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"},{"configuration":{},"description":"Retrieve the full content (source) of an Elasticsearch document based on its ID and index name.","id":"platform.core.get_document_by_id","readonly":true,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"id":{"description":"ID of the document to retrieve","type":"string"},"index":{"description":"Name of the index to retrieve the document from","type":"string"}},"required":["id","index"]},"tags":[],"type":"builtin"},{"configuration":{},"description":"Execute an ES|QL query and return the results in a tabular format.\n\n**IMPORTANT**: This tool only **runs** queries; it does not write them.\nThink of this as the final step after a query has been prepared.\n\nYou **must** get the query from one of two sources before calling this tool:\n1.  The output of the `platform.core.generate_esql` tool (if the tool is available).\n2.  A verbatim query provided directly by the user.\n\nUnder no circumstances should you invent, guess, or modify a query yourself for this tool.\nIf you need a query, use the `platform.core.generate_esql` tool first.","id":"platform.core.execute_esql","readonly":true,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"query":{"description":"The ES|QL query to execute","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"},{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"},{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}]}}}}},"description":"Indicates a successful response"}},"summary":"List tools","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"https://${KIBANA_URL}/api/agent_builder/tools\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:/api/agent_builder/tools\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"post-agent-builder-tools","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"createEsqlToolRequest":{"description":"Example request to create an ESQL query tool with a pre-defined query","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","tags":["analytics","finance"],"type":"esql"}},"createIndexSearchToolRequest":{"description":"Example request to create an index_search tool with a pre-defined index pattern","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","tags":["search","finance"],"type":"index_search"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"configuration":{"additionalProperties":{},"description":"Tool-specific configuration parameters. See examples for details.","type":"object"},"description":{"default":"","description":"Description of what the tool does.","type":"string"},"id":{"description":"Unique identifier for the tool.","type":"string"},"tags":{"default":[],"description":"Optional tags for categorizing and organizing tools.","items":{"description":"Tag for categorizing the tool.","type":"string"},"type":"array"},"type":{"description":"The type of tool to create (e.g., esql, index_search).","enum":["esql","index_search","workflow","mcp"],"type":"string"}},"required":["id","type","configuration"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"createEsqlToolExample":{"description":"Example response returning a definition of ESQL tool created","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"}},"createIndexSearchToolExample":{"description":"Example response returning a definition of search tool tool created","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Create a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"https://${KIBANA_URL}/api/agent_builder/tools\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n   \"id\": \"example-esql-tool\",\n   \"type\": \"esql\",\n   \"description\": \"Example ES|QL query tool for analyzing financial trades with time filtering\",\n   \"tags\": [\"analytics\", \"finance\"],\n   \"configuration\": {\n     \"query\": \"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n     \"params\": {\n       \"startTime\": {\n         \"type\": \"date\",\n         \"description\": \"Start time for the analysis in ISO format\"\n       },\n       \"limit\": {\n         \"type\": \"integer\",\n         \"description\": \"Maximum number of results to return\"\n       }\n     }\n   }\n }'\n"},{"lang":"Console","source":"POST kbn:/api/agent_builder/tools\n{\n  \"id\": \"example-esql-tool\",\n  \"type\": \"esql\",\n  \"description\": \"An ES|QL query tool for analyzing financial trades with time filtering\",\n  \"tags\": [\"analytics\", \"finance\", \"updated\"],\n  \"configuration\": {\n    \"query\": \"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n    \"params\": {\n      \"startTime\": {\n        \"type\": \"date\",\n        \"description\": \"Start time for the analysis in ISO format\"\n      },\n      \"limit\": {\n        \"type\": \"integer\",\n        \"description\": \"Maximum number of results to return\"\n      }\n    }\n  }\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/tools/_execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools/_execute\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRun a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"post-agent-builder-tools-execute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"executeBuiltinEsqlToolRequest":{"description":"Example request executing platform.core.execute_esql tool","value":{"tool_id":"platform.core.execute_esql","tool_params":{"query":"FROM financial_trades | LIMIT 3"}}},"executeBuiltinToolRequest":{"description":"Example request executing platform.core.get_document_by_id tool","value":{"tool_id":"platform.core.get_document_by_id","tool_params":{"id":"TRD-20250805-0820a89f","index":"financial_trades"}}},"executeCustomEsqlToolRequest":{"description":"Example request executing custom example-esql-tool tool","value":{"tool_id":"example-esql-tool","tool_params":{"limit":3,"startTime":"2024-01-01T00:00:00Z"}}},"executeIndexSearchToolRequest":{"description":"Example request executing custom example-index-search-tool tool","value":{"tool_id":"example-index-search-tool","tool_params":{"nlQuery":"find trades with high execution prices above 100"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"connector_id":{"description":"Optional connector ID for tools that require external integrations.","type":"string"},"tool_id":{"description":"The ID of the tool to execute.","type":"string"},"tool_params":{"additionalProperties":{},"description":"Parameters to pass to the tool execution. See examples for details","type":"object"}},"required":["tool_id","tool_params"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"executeBuiltinEsqlToolExample":{"description":"Example response calling built-in platform.core.execute_esql tool","value":{"results":[{"data":{"esql":"FROM financial_trades | LIMIT 3"},"type":"query"},{"data":{"columns":[{"name":"account_id","type":"keyword"},{"name":"execution_price","type":"double"},{"name":"symbol","type":"keyword"},{"name":"trade_type","type":"keyword"}],"query":"FROM financial_trades | LIMIT 3","source":"esql","values":[["ACC00179-1f91",43.77000045776367,"CVX","sell"],["ACC00407-0bbb",660.4199829101562,"V","buy"],["ACC00179-1f91",440.3599853515625,"KO","buy"]]},"tool_result_id":"xTpT","type":"tabular_data"}]}},"executeBuiltinToolExample":{"description":"Example response calling built-in platform.core.get_document_by_id tool","value":{"results":[{"data":{"content":{"account_id":"ACC00271-fb5c","execution_price":488.54,"execution_timestamp":"2025-08-05T08:04:11.649855","last_updated":"2025-09-15T13:23:36","order_status":"executed","order_type":"market","quantity":131,"status_reason":"fully_filled","symbol":"EWL","trade_cost":63998.74,"trade_id":"TRD-20250805-0820a89f","trade_type":"sell"},"partial":false,"reference":{"id":"TRD-20250805-0820a89f","index":"financial_trades"}},"type":"resource"}]}},"executeCustomEsqlToolExample":{"description":"Example response calling custom example-esql-tool tool","value":{"results":[{"data":{"columns":[{"name":"trade_count","type":"long"},{"name":"avg_price","type":"double"},{"name":"symbol","type":"keyword"}],"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit","source":"esql","values":[[2115,89.33911587329621,"US_T_BOND_20YR"],[2112,104.2085415594506,"INTL_CORP_ASIA_D"],[2105,89.93244177666526,"INTL_CORP_EU_B"]]},"tool_result_id":"Voy8","type":"tabular_data"}]}},"executeIndexSearchToolExample":{"description":"Example response calling custom example-index-search-tool tool","value":{"results":[{"data":{"esql":"FROM financial_trades\n| WHERE execution_price \u003e 100\n| LIMIT 100"},"type":"query"},{"data":{"columns":[{"name":"account_id","type":"keyword"},{"name":"execution_price","type":"double"},{"name":"execution_timestamp","type":"date"},{"name":"symbol","type":"keyword"},{"name":"trade_type","type":"keyword"}],"query":"FROM financial_trades\n| WHERE execution_price \u003e 100\n| LIMIT 100","source":"esql","values":[["ACC00407-0bbb",660.4199829101562,"2020-09-25T11:06:08.687Z","V","buy"],["ACC00179-1f91",440.3599853515625,"2025-08-07T21:56:45.377Z","KO","buy"],["ACC00407-0bbb",132.8800048828125,"2020-11-19T04:39:13.655Z","JAP_JGB_10YR","sell"]]},"tool_result_id":"uE8y","type":"tabular_data"}]}}}}},"description":"Indicates a successful response"}},"summary":"Run a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"https://${KIBANA_URL}/api/agent_builder/tools/_execute\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n   \"tool_id\": \"platform.core.search\",\n   \"tool_params\": {\n     \"query\": \"can you find john doe's email from the employee index?\"}\n   }\n }'\n"},{"lang":"Console","source":"POST kbn:/api/agent_builder/tools/_execute\n{\n  \"tool_id\": \"platform.core.search\",\n  \"tool_params\": {\n    \"query\": \"can you find john doe's email from the employee index?\"\n  }\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/agent_builder/tools/{toolId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools/{toolId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"delete-agent-builder-tools-toolid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the tool to delete.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"deleteAgentResponseExample":{"description":"Example response showing that the deletion operation was successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X DELETE \"https://${KIBANA_URL}/api/agent_builder/tools/{toolId}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\" \\\n  -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:/api/agent_builder/tools/{toolId}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools/{toolId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_onechat.","operationId":"get-agent-builder-tools-toolid","parameters":[{"description":"The unique identifier of the tool to retrieve.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getBuiltinToolExample":{"description":"Example response returning built-in platform.core.search tool","value":{"configuration":{},"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.\nIt supports both full-text relevance searches and structured analytical queries.\n\nUse this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.\n\nExamples of queries:\n- \"find articles about serverless architecture\"\n- \"search for support tickets mentioning 'billing issue' or 'refund request'\"\n- \"what is our policy on parental leave?\"\n- \"list all products where the category is 'electronics'\"\n- \"show me the last 5 documents from that index\"\n- \"show me the sales over the last year break down by month\"\n\nNote:\n- The 'index' parameter can be used to specify which index to search against.\n If not provided, the tool will decide itself which is the best index to use.\n- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already\n know about the index and fields you want to search on, e.g. if the user explicitly specified it.","id":"platform.core.search","readonly":true,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"index":{"description":"(optional) Index to search against. If not provided, will automatically select the best index to use based on the query.","type":"string"},"query":{"description":"A natural language query expressing the search request","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"}},"getEsqlToolExample":{"description":"Example response returning custom example-esql-tool tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"}},"getIndexSearchToolExample":{"description":"Example response returning custom example-index-search-tool tool","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Get a tool by id","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n  -X GET \"https://${KIBANA_URL}/api/agent_builder/tools/{toolId}\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:/api/agent_builder/tools/{toolId}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/agent_builder/tools/{toolId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_onechat.","operationId":"put-agent-builder-tools-toolid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the tool to update.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"updateEsqlToolRequest":{"description":"Example request to update the custom ESQL tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"keyword"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering","tags":["analytics","finance","reporting"]}},"updateIndexSearchToolRequest":{"description":"Example request to update the custom Search tool","value":{"description":"Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring","tags":["search","finance","compliance","reporting"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"configuration":{"additionalProperties":{},"description":"Updated tool-specific configuration parameters. See examples for details.","type":"object"},"description":{"description":"Updated description of what the tool does.","type":"string"},"tags":{"description":"Updated tags for categorizing and organizing tools.","items":{"description":"Updated tag for categorizing the tool.","type":"string"},"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"updateEsqlToolExample":{"description":"Example response showing the updated ESQL tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"keyword"}},"query":"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"description":"Parameters needed to execute the enhanced query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"string"}},"required":["startTime","symbolPattern","limit"]},"tags":["analytics","finance","reporting"],"type":"esql"}},"updateIndexSearchToolExample":{"description":"Example response showing the updated Search tool","value":{"configuration":{"pattern":"financial_*"},"description":"Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http://json-schema.org/draft-07/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance","compliance","reporting"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Update a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X PUT \"https://${KIBANA_URL}/api/agent_builder/tools/{toolId}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n   \"description\": \"Updated ES|QL query tool for analyzing financial trades with time filtering\",\n   \"tags\": [\"analytics\", \"finance\", \"updated\"],\n   \"configuration\": {\n     \"query\": \"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n     \"params\": {\n       \"startTime\": {\n         \"type\": \"date\",\n         \"description\": \"Start time for the analysis in ISO format\"\n       },\n       \"limit\": {\n         \"type\": \"integer\",\n         \"description\": \"Maximum number of results to return\"\n       }\n     }\n   }\n }'\n"},{"lang":"Console","source":"PUT kbn:/api/agent_builder/tools/{toolId}\n{\n  \"description\": \"Updated ES|QL query tool for analyzing financial trades with time filtering\",\n  \"tags\": [\"analytics\", \"finance\", \"updated\"],\n  \"configuration\": {\n    \"query\": \"FROM financial_trades | WHERE execution_timestamp \u003e= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n    \"params\": {\n      \"startTime\": {\n        \"type\": \"date\",\n        \"description\": \"Start time for the analysis in ISO format\"\n      },\n      \"limit\": {\n        \"type\": \"integer\",\n        \"description\": \"Maximum number of results to return\"\n      }\n    }\n  }\n}\n"}],"x-state":"Added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/alerting/_health":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/_health\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Management \u003e Stack Rules** feature or for at least one of the **Analytics \u003e Discover**, **Analytics \u003e Machine Learning**, **Observability**, or **Security** features.\n","operationId":"getAlertingHealth","responses":{"200":{"content":{"application/json":{"examples":{"getAlertingHealthResponse":{"$ref":"#/components/examples/Alerting_get_health_response"}},"schema":{"type":"object","properties":{"alerting_framework_health":{"description":"Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`.\n","type":"object","properties":{"decryption_health":{"description":"The timestamp and status of the rule decryption.","type":"object","properties":{"status":{"enum":["error","ok","warn"],"example":"ok","type":"string"},"timestamp":{"example":"2023-01-13T01:28:00.280Z","format":"date-time","type":"string"}}},"execution_health":{"description":"The timestamp and status of the rule run.","type":"object","properties":{"status":{"enum":["error","ok","warn"],"example":"ok","type":"string"},"timestamp":{"example":"2023-01-13T01:28:00.280Z","format":"date-time","type":"string"}}},"read_health":{"description":"The timestamp and status of the rule reading events.","type":"object","properties":{"status":{"enum":["error","ok","warn"],"example":"ok","type":"string"},"timestamp":{"example":"2023-01-13T01:28:00.280Z","format":"date-time","type":"string"}}}}},"has_permanent_encryption_key":{"description":"If `false`, the encrypted saved object plugin does not have a permanent encryption key.","example":true,"type":"boolean"},"is_sufficiently_secure":{"description":"If `false`, security is enabled but TLS is not.","example":true,"type":"boolean"}}}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Alerting_401_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get the alerting framework health","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/alerting/rule_types":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule_types\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nIf you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management \u003e Stack Rules** feature, **Analytics \u003e Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role.\n","operationId":"getRuleTypes","responses":{"200":{"content":{"application/json":{"examples":{"getRuleTypesResponse":{"$ref":"#/components/examples/Alerting_get_rule_types_response"}},"schema":{"items":{"type":"object","properties":{"action_groups":{"description":"An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.\n","items":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"type":"array"},"action_variables":{"description":"A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.\n","type":"object","properties":{"context":{"items":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"useWithTripleBracesInTemplates":{"type":"boolean"}}},"type":"array"},"params":{"items":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"}}},"type":"array"},"state":{"items":{"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"}}},"type":"array"}}},"alerts":{"description":"Details for writing alerts as data documents for this rule type.\n","type":"object","properties":{"context":{"description":"The namespace for this rule type.\n","enum":["ml.anomaly-detection","observability.apm","observability.logs","observability.metrics","observability.slo","observability.threshold","observability.uptime","security","stack"],"type":"string"},"dynamic":{"description":"Indicates whether new fields are added dynamically.","enum":["false","runtime","strict","true"],"type":"string"},"isSpaceAware":{"description":"Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.\n","type":"boolean"},"mappings":{"type":"object","properties":{"fieldMap":{"additionalProperties":{"$ref":"#/components/schemas/Alerting_fieldmap_properties"},"description":"Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.\n","type":"object"}}},"secondaryAlias":{"description":"A secondary alias. It is typically used to support the signals alias for detection rules.\n","type":"string"},"shouldWrite":{"description":"Indicates whether the rule should write out alerts as data.\n","type":"boolean"},"useEcs":{"description":"Indicates whether to include the ECS component template for the alerts.\n","type":"boolean"},"useLegacyAlerts":{"default":false,"description":"Indicates whether to include the legacy component template for the alerts.\n","type":"boolean"}}},"authorized_consumers":{"description":"The list of the plugins IDs that have access to the rule type.","type":"object","properties":{"alerts":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"apm":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"discover":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"infrastructure":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"logs":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"ml":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"monitoring":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"siem":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"slo":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"stackAlerts":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}},"uptime":{"type":"object","properties":{"all":{"type":"boolean"},"read":{"type":"boolean"}}}}},"category":{"description":"The rule category, which is used by features such as category-specific maintenance windows.","enum":["management","observability","securitySolution"],"type":"string"},"default_action_group_id":{"description":"The default identifier for the rule type group.","type":"string"},"does_set_recovery_context":{"description":"Indicates whether the rule passes context variables to its recovery action.","type":"boolean"},"enabled_in_license":{"description":"Indicates whether the rule type is enabled or disabled based on the subscription.","type":"boolean"},"has_alerts_mappings":{"description":"Indicates whether the rule type has custom mappings for the alert data.","type":"boolean"},"has_fields_for_a_a_d":{"type":"boolean"},"id":{"description":"The unique identifier for the rule type.","type":"string"},"is_exportable":{"description":"Indicates whether the rule type is exportable in **Stack Management \u003e Saved Objects**.","type":"boolean"},"minimum_license_required":{"description":"The subscriptions required to use the rule type.","example":"basic","type":"string"},"name":{"description":"The descriptive name of the rule type.","type":"string"},"producer":{"description":"An identifier for the application that produces this rule type.","example":"stackAlerts","type":"string"},"recovery_action_group":{"description":"An action group to use when an alert goes from an active state to an inactive one.","type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"rule_task_timeout":{"example":"5m","type":"string"}}},"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Alerting_401_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get the rule types","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/alerting/rule/{id}":{"delete":{"operationId":"delete-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Delete a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"get-alerting-rule-id","parameters":[{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Get rule details","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"post-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule. If it is omitted, an ID is randomly generated.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"createEsQueryEsqlRuleRequest":{"description":"Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.\n","summary":"Elasticsearch query rule (ES|QL)","value":{"actions":[{"frequency":{"notify_when":"onActiveAlert","summary":false},"group":"query matched","id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"}}],"consumer":"stackAlerts","name":"my Elasticsearch query ESQL rule","params":{"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"searchType":"esqlQuery","size":0,"threshold":[0],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"rule_type_id":".es-query","schedule":{"interval":"1d"}}},"createEsQueryKqlRuleRequest":{"description":"Create an Elasticsearch query rule that uses Kibana query language (KQL).","summary":"Elasticsearch query rule (KQL)","value":{"consumer":"alerts","name":"my Elasticsearch query KQL rule","params":{"aggType":"count","excludeHitsFromPreviousRun":true,"groupBy":"all","searchConfiguration":{"index":"90943e30-9a47-11e8-b64d-95841ca0b247","query":{"language":"kuery","query":"\"\"geo.src : \"US\" \"\""}},"searchType":"searchSource","size":100,"threshold":[1000],"thresholdComparator":"\u003e","timeWindowSize":5,"timeWindowUnit":"m"},"rule_type_id":".es-query","schedule":{"interval":"1m"}}},"createEsQueryRuleRequest":{"description":"Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.\n","summary":"Elasticsearch query rule (DSL)","value":{"actions":[{"frequency":{"notify_when":"onThrottleInterval","summary":true,"throttle":"1d"},"group":"query matched","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."}},{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"recovered","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"Recovered"}}],"consumer":"alerts","name":"my Elasticsearch query rule","params":{"esQuery":"\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"","index":["kibana_sample_data_logs"],"size":100,"threshold":[100],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"rule_type_id":".es-query","schedule":{"interval":"1d"}}},"createIndexThresholdRuleRequest":{"description":"Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.\n","summary":"Index threshold rule","value":{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"threshold met","id":"48de3460-f401-11ed-9f8e-399c75a2deeb","params":{"level":"info","message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"}}],"alert_delay":{"active":3},"consumer":"alerts","name":"my rule","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"]}},"createTrackingContainmentRuleRequest":{"description":"Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.\n","summary":"Tracking containment rule","value":{"consumer":"alerts","name":"my tracking rule","params":{"boundaryGeoField":"location","boundaryIndexId":"0cd90abf-abe7-44c7-909a-f621bbbcfefc","boundaryIndexTitle":"boundary*","boundaryNameField":"name","boundaryType":"entireIndex","dateField\"":"@timestamp","entity":"agent.keyword","geoField":"geo.coordinates","index":"kibana_sample_data_logs","indexId":"90943e30-9a47-11e8-b64d-95841ca0b247"},"rule_type_id":".geo-containment","schedule":{"interval":"1h"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"params":{"additionalProperties":{},"default":{},"description":"The parameters for the rule.","anyOf":[{"$ref":"#/components/schemas/params_property_apm_anomaly"},{"$ref":"#/components/schemas/params_property_apm_error_count"},{"$ref":"#/components/schemas/params_property_apm_transaction_duration"},{"$ref":"#/components/schemas/params_property_apm_transaction_error_rate"},{"$ref":"#/components/schemas/params_es_query_dsl_rule"},{"$ref":"#/components/schemas/params_es_query_esql_rule"},{"$ref":"#/components/schemas/params_es_query_kql_rule"},{"$ref":"#/components/schemas/params_index_threshold_rule"},{"$ref":"#/components/schemas/params_property_infra_inventory"},{"$ref":"#/components/schemas/params_property_log_threshold"},{"$ref":"#/components/schemas/params_property_infra_metric_threshold"},{"$ref":"#/components/schemas/params_property_slo_burn_rate"},{"$ref":"#/components/schemas/params_property_synthetics_uptime_tls"},{"$ref":"#/components/schemas/params_property_synthetics_monitor_status"}]}},"required":["name","rule_type_id","consumer","schedule"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"createEsQueryEsqlRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).","summary":"Elasticsearch query rule (ES|QL)","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActiveAlert","summary":false,"throttle":null},"group":"query matched","id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"uuid":"bfe370a3-531b-4855-bbe6-ad739f578844"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"stackAlerts","created_at":"2023-11-01T19:00:10.453Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-11-01T19:00:10.453Z","status":"pending"},"id":"e0d62360-78e8-11ee-9177-f7d404c8c945","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query ESQL rule","notify_when":null,"params":{"aggType":"count","esqlQuery":{"esql":"FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | sort sumbytes desc | limit 10"},"excludeHitsFromPreviousRun\"":"true,","groupBy":"all","searchType":"esqlQuery","size":0,"threshold":[0],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1d"},"scheduled_task_id":"e0d62360-78e8-11ee-9177-f7d404c8c945","tags":[],"throttle":null,"updated_at":"2023-11-01T19:00:10.453Z","updated_by":"elastic\","}},"createEsQueryKqlRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).","summary":"Elasticsearch query rule (KQL)","value":{"actions":[],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2023-07-14T20:24:50.729Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-07-14T20:24:50.729Z","status":"pending"},"id":"7bd506d0-2284-11ee-8fad-6101956ced88","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query KQL rule\"","notify_when":null,"params":{"aggType":"count","excludeHitsFromPreviousRun":true,"groupBy":"all","searchConfiguration":{"index":"90943e30-9a47-11e8-b64d-95841ca0b247","query":{"language":"kuery","query":"\"\"geo.src : \"US\" \"\""}},"searchType":"searchSource","size":100,"threshold":[1000],"thresholdComparator":"\u003e","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"7bd506d0-2284-11ee-8fad-6101956ced88","tags":[],"throttle":null,"updated_at":"2023-07-14T20:24:50.729Z","updated_by":"elastic"}},"createEsQueryRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).","summary":"Elasticsearch query rule (DSL)","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onThrottleInterval","summary":true,"throttle":"1d"},"group":"query matched","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."},"uuid":"53f3c2a3-e5d0-4cfa-af3b-6f0881385e78"},{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"recovered","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"Recovered"},"uuid":"2324e45b-c0df-45c7-9d70-4993e30be758"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2023-08-22T00:03:38.263Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-08-22T00:03:38.263Z","status":"pending"},"id":"58148c70-407f-11ee-850e-c71febc4ca7f","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query rule","notify_when":null,"params":{"aggType":"count","esQuery":"\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"","excludeHitsFromPreviousRun":true,"groupBy":"all","index":["kibana_sample_data_logs"],"searchType":"esQuery","size":100,"threshold":[100],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1d"},"scheduled_task_id":"58148c70-407f-11ee-850e-c71febc4ca7f","tags":[],"throttle":null,"updated_at":"2023-08-22T00:03:38.263Z","updated_by":"elastic"}},"createIndexThresholdRuleResponse":{"description":"The response for successfully creating an index threshold rule.","summary":"Index threshold rule","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"uuid":"07aef2a0-9eed-4ef9-94ec-39ba58eb609d"}],"alert_delay":{"active":3},"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-06-08T17:20:31.632Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2022-06-08T17:20:31.632Z","status":"pending"},"id":"41893910-6bca-11eb-9e0d-85d233e3ee35","mute_all":false,"muted_alert_ids":[],"name":"my rule","notify_when":null,"params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"425b0800-6bca-11eb-9e0d-85d233e3ee35","tags":["cpu"],"throttle":null,"updated_at":"2022-06-08T17:20:31.632Z","updated_by":"elastic"}},"createTrackingContainmentRuleResponse":{"description":"The response for successfully creating a tracking containment rule.","summary":"Tracking containment rule","value":{"actions":[],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2024-02-14T19:52:55.920Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":74,"last_execution_date":"2024-02-15T03:25:38.125Z","status":"ok"},"id":"b6883f9d-5f70-4758-a66e-369d7c26012f","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"outcome_order":0,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"my tracking rule","next_run":"2024-02-15T03:26:38.033Z","notify_when":null,"params":{"boundaryGeoField":"location","boundaryIndexId":"0cd90abf-abe7-44c7-909a-f621bbbcfefc","boundaryIndexTitle":"boundary*","boundaryNameField":"name","boundaryType":"entireIndex","dateField":"@timestamp","entity":"agent.keyword","geoField":"geo.coordinates","index":"kibana_sample_data_logs","indexId":"90943e30-9a47-11e8-b64d-95841ca0b247"},"revision":1,"rule_type_id":".geo-containment","running":false,"schedule":{"interval":"1h"},"scheduled_task_id":"b6883f9d-5f70-4758-a66e-369d7c26012f","tags":[],"throttle":null,"updated_at":"2024-02-15T03:24:32.574Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"409":{"description":"Indicates that the rule id is already in use."}},"summary":"Create a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"operationId":"put-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"updateRuleRequest":{"description":"Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.","summary":"Index threshold rule","value":{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"threshold met","id":"96b668d0-a1b6-11ed-afdf-d39a49596974","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"}}],"name":"new name","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".updated-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"schedule":{"interval":"1m"},"tags":[]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{},"default":{},"description":"The parameters for the rule.","type":"object"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","schedule"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"updateRuleResponse":{"description":"The response for successfully updating an index threshold rule.","summary":"Index threshold rule","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"96b668d0-a1b6-11ed-afdf-d39a49596974","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"},"uuid":"07aef2a0-9eed-4ef9-94ec-39ba58eb609d"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2024-03-26T23:13:20.985Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":52,"last_execution_date":"2024-03-26T23:22:51.390Z","status":"ok"},"id":"ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"new name","next_run":"2024-03-26T23:23:51.316Z","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".updated-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":1,"rule_type_id":".index-threshold","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"4c5eda00-e74f-11ec-b72f-5b18752ff9ea","tags":[],"throttle":null,"updated_at":"2024-03-26T23:22:59.949Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."},"409":{"description":"Indicates that the rule has already been updated by another user."}},"summary":"Update a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/_disable":{"post":{"operationId":"post-alerting-rule-id-disable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"untrack":{"description":"Defines whether this rule's alerts should be untracked.","type":"boolean"}},"x-oas-optional":true}}}},"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Disable a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/_disable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/_enable":{"post":{"operationId":"post-alerting-rule-id-enable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Enable a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/_enable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/_mute_all":{"post":{"operationId":"post-alerting-rule-id-mute-all","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Mute all alerts","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/_mute_all\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/_unmute_all":{"post":{"operationId":"post-alerting-rule-id-unmute-all","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Unmute all alerts","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/_unmute_all\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/_update_api_key":{"post":{"operationId":"post-alerting-rule-id-update-api-key","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."},"409":{"description":"Indicates that the rule has already been updated by another user."}},"summary":"Update the API key for a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/_update_api_key\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{id}/snooze_schedule":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{id}/snooze_schedule\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nWhen you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes.","operationId":"post-alerting-rule-id-snooze-schedule","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Identifier of the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}}}},"required":["schedule"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]},"id":{"description":"Identifier of the snooze schedule.","type":"string"}},"required":["id"]}},"required":["schedule"]}},"required":["body"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given id does not exist."}},"summary":"Schedule a snooze for the rule","tags":["alerting"],"x-state":"Generally available; added in 8.19.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute":{"post":{"operationId":"post-alerting-rule-rule-id-alert-alert-id-mute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"rule_id","required":true,"schema":{"type":"string"}},{"description":"The identifier for the alert.","in":"path","name":"alert_id","required":true,"schema":{"type":"string"}},{"description":"Whether to validate the existence of the alert.","in":"query","name":"validate_alerts_existence","required":false,"schema":{"type":"boolean"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule or alert with the given ID does not exist."}},"summary":"Mute an alert","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute":{"post":{"operationId":"post-alerting-rule-rule-id-alert-alert-id-unmute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"rule_id","required":true,"schema":{"type":"string"}},{"description":"The identifier for the alert.","in":"path","name":"alert_id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule or alert with the given ID does not exist."}},"summary":"Unmute an alert","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}":{"delete":{"operationId":"delete-alerting-rule-ruleid-snooze-schedule-scheduleid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"ruleId","required":true,"schema":{"type":"string"}},{"description":"The identifier for the snooze schedule.","in":"path","name":"scheduleId","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given id does not exist."}},"summary":"Delete a snooze schedule for a rule","tags":["alerting"],"x-state":"Generally available; added in 8.19.0","x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/alerting/rules/_find":{"get":{"operationId":"get-alerting-rules-find","parameters":[{"description":"The number of rules to return per page.","in":"query","name":"per_page","required":false,"schema":{"default":10,"minimum":0,"type":"number"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"number"}},{"description":"An Elasticsearch simple_query_string query that filters the objects in the response.","in":"query","name":"search","required":false,"schema":{"type":"string"}},{"description":"The default operator to use for the simple_query_string.","in":"query","name":"default_search_operator","required":false,"schema":{"default":"OR","enum":["OR","AND"],"type":"string"}},{"description":"The fields to perform the simple_query_string parsed query against.","in":"query","name":"search_fields","required":false,"schema":{"anyOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]}},{"description":"Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.","in":"query","name":"sort_field","required":false,"schema":{"type":"string"}},{"description":"Determines the sort order.","in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"Filters the rules that have a relation with the reference objects with a specific type and identifier.","in":"query","name":"has_reference","required":false,"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]}},{"description":"The fields to return in the `attributes` key of the response.","in":"query","name":"fields","required":false,"schema":{"anyOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]}},{"description":"A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: \"myTitle\"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt \u003e 2018-12-22`.","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"in":"query","name":"filter_consumers","required":false,"schema":{"items":{"description":"List of consumers to filter.","type":"string"},"type":"array"}}],"responses":{"200":{"content":{"application/json":{"examples":{"findConditionalActionRulesResponse":{"description":"A response that contains information about an index threshold rule.","summary":"Index threshold rule","value":{"data":[{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"9dca3e00-74f5-11ed-9801-35303b735aef","params":{"connector_type_id":".server-log","level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"uuid":"1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":48,"last_execution_date":"2022-12-06T01:44:23.983Z","status":"ok"},"id":"3583a470-74f6-11ed-9801-35303b735aef","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"my alert","next_run":"2022-12-06T01:45:23.912Z","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":1,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"scheduled_task_id":"3583a470-74f6-11ed-9801-35303b735aef","tags":["cpu"],"throttle":null,"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":1}},"findRulesResponse":{"description":"A response that contains information about a security rule that has conditional actions.","summary":"Security rule","value":{"data":[{"actions":[{"alerts_filter":{"query":{"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"field":"client.geo.region_iso_code","index":"c4bdca79-e69e-4d80-82a1-e5192c621bea","key":"client.geo.region_iso_code","negate":false,"params":{"query":"CA-QC","type":"phrase"}},"query":{"match_phrase":{"client.geo.region_iso_code":"CA-QC"}}}],"kql":""},"timeframe":{"days":[7],"hours":{"end":"17:00","start":"08:00"},"timezone":"UTC"}},"connector_type_id":".index","frequency":{"notify_when":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"49eae970-f401-11ed-9f8e-399c75a2deeb","params":{"documents":[{"alert_id":{"[object Object]":null},"context_message":{"[object Object]":null},"rule_id":{"[object Object]":null},"rule_name":{"[object Object]":null}}]},"uuid":"1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"siem","created_at":"2023-05-16T15:50:28.358Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":166,"last_execution_date":"2023-05-16T20:26:49.590Z","status":"ok"},"id":"6107a8f0-f401-11ed-9f8e-399c75a2deeb","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":["Rule execution completed successfully"],"outcome_order":0,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"security_rule","next_run":"2023-05-16T20:27:49.507Z","notify_when":null,"params":{"author":[],"description":"A security threshold rule.","exceptionsList":[],"falsePositives":[],"filters":[],"from":"now-3660s","immutable":false,"index":["kibana_sample_data_logs"],"language":"kuery","license":"","maxSignals":100,"meta":{"from":"1h","kibana_siem_app_url":"https://localhost:5601/app/security"},"outputIndex":"","query":"*","references":[],"riskScore":21,"riskScoreMapping":[],"ruleId":"an_internal_rule_id","severity":"low","severityMapping":[],"threat":[],"threshold":{"cardinality":[],"field":["bytes"],"value":1},"to":"now","type":"threshold","version":1},"revision":1,"rule_type_id":"siem.thresholdRule","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"6107a8f0-f401-11ed-9f8e-399c75a2deeb","tags":[],"throttle":null,"updated_at":"2023-05-16T20:25:42.559Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{},"type":"object"},"query":{"additionalProperties":{},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get information about rules","tags":["alerting"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/alerting/rules/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/apm/agent_keys":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/agent_keys\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new agent key for APM.\nThe user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant.\nAfter it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server.\n","operationId":"createAgentKey","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"createAgentKeyRequest1":{"$ref":"#/components/examples/APM_UI_agent_keys_object_post_request1"}},"schema":{"$ref":"#/components/schemas/APM_UI_agent_keys_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"createAgentKeyResponse1":{"$ref":"#/components/examples/APM_UI_agent_keys_object_post_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_agent_keys_response"}}},"description":"Agent key created successfully"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_500_response"}}},"description":"Internal Server Error response"}},"summary":"Create an APM agent key","tags":["APM agent keys"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/fleet/apm_server_schema":{"post":{"operationId":"saveApmServerSchema","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"schema":{"additionalProperties":true,"description":"Schema object","example":{"foo":"bar"},"type":"object"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Save APM server schema","tags":["APM server schema"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/fleet/apm_server_schema\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/apm/services/{serviceName}/annotation":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/services/{serviceName}/annotation\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new annotation for a specific service.","operationId":"createAnnotation","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"},{"description":"The name of the service","in":"path","name":"serviceName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_create_annotation_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"createAnnotationResponse1":{"$ref":"#/components/examples/APM_UI_annotation_object_post_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_create_annotation_response"}}},"description":"Annotation created successfully"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Create a service annotation","tags":["APM annotations"],"x-codeSamples":[{"lang":"Curl","source":"curl -X POST \\\nhttp://localhost:5601/api/apm/services/opbeans-java/annotation \\\n-H 'Content-Type: application/json' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \\\n-d '{\n    \"@timestamp\": \"2020-05-08T10:31:30.452Z\",\n    \"service\": {\n        \"version\": \"1.2\"\n    },\n    \"message\": \"Deployment 1.2\"\n    }'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/services/{serviceName}/annotation/search":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/services/{serviceName}/annotation/search\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSearch for annotations related to a specific service.","operationId":"getAnnotation","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"description":"The name of the service","in":"path","name":"serviceName","required":true,"schema":{"type":"string"}},{"description":"The environment to filter annotations by","in":"query","name":"environment","required":false,"schema":{"type":"string"}},{"description":"The start date for the search","in":"query","name":"start","required":false,"schema":{"type":"string"}},{"description":"The end date for the search","in":"query","name":"end","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_annotation_search_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_500_response"}}},"description":"Internal Server Error response"}},"summary":"Search for annotations","tags":["APM annotations"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/settings/agent-configuration":{"delete":{"operationId":"deleteAgentConfiguration","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"deleteAgentConfigurationRequest1":{"$ref":"#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1"}},"schema":{"$ref":"#/components/schemas/APM_UI_delete_service_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_delete_agent_configurations_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Delete agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"getAgentConfigurations","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"}],"responses":{"200":{"content":{"application/json":{"examples":{"getAgentConfigurationsResponseExample1":{"$ref":"#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_agent_configurations_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get a list of agent configurations","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"operationId":"createUpdateAgentConfiguration","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"},{"description":"If the config exists ?overwrite=true is required","in":"query","name":"overwrite","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"examples":{"createUpdateAgentConfigurationRequestExample1":{"$ref":"#/components/examples/APM_UI_agent_configuration_intake_object_put_request1"}},"schema":{"$ref":"#/components/schemas/APM_UI_agent_configuration_intake_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Create or update agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/apm/settings/agent-configuration/agent_name":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration/agent_name\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve `agentName` for a service.","operationId":"getAgentNameForService","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"description":"The name of the service","example":"node","in":"query","name":"serviceName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_service_agent_name_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get agent name for service","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/settings/agent-configuration/environments":{"get":{"operationId":"getEnvironmentsForService","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"description":"The name of the service","in":"query","name":"serviceName","schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_service_environments_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get environments for service","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration/environments\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/apm/settings/agent-configuration/search":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration/search\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nThis endpoint enables you to search for a single agent configuration and update the 'applied_by_agent' field.\n","operationId":"searchSingleConfiguration","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"searchSingleConfigurationRequest1":{"$ref":"#/components/examples/APM_UI_agent_configuration_intake_object_search_request1"}},"schema":{"$ref":"#/components/schemas/APM_UI_search_agent_configuration_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"searchSingleConfigurationResponse1":{"$ref":"#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_search_agent_configuration_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Lookup single agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/settings/agent-configuration/view":{"get":{"operationId":"getSingleAgentConfiguration","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"description":"Service name","example":"node","in":"query","name":"name","schema":{"type":"string"}},{"description":"Service environment","example":"prod","in":"query","name":"environment","schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_single_agent_configuration_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get single agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/settings/agent-configuration/view\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/apm/sourcemaps":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/sourcemaps\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature.\n","operationId":"getSourceMaps","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"description":"Page number","in":"query","name":"page","schema":{"type":"number"}},{"description":"Number of records per page","in":"query","name":"perPage","schema":{"type":"number"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getSourceMapsResponse1":{"$ref":"#/components/examples/APM_UI_source_maps_get_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_source_maps_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_500_response"}}},"description":"Internal Server Error response"},"501":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_501_response"}}},"description":"Not Implemented response"}},"summary":"Get source maps","tags":["APM sourcemaps"],"x-codeSamples":[{"lang":"Curl","source":"curl -X GET \"http://localhost:5601/api/apm/sourcemaps\" \\\n-H 'Content-Type: application/json' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: ApiKey ${YOUR_API_KEY}'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/sourcemaps\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature.\nThe maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable.\n","operationId":"uploadSourceMap","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"multipart/form-data":{"schema":{"$ref":"#/components/schemas/APM_UI_upload_source_map_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"uploadSourceMapResponse1":{"$ref":"#/components/examples/APM_UI_source_maps_upload_200_response1"}},"schema":{"$ref":"#/components/schemas/APM_UI_upload_source_maps_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_500_response"}}},"description":"Internal Server Error response"},"501":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_501_response"}}},"description":"Not Implemented response"}},"summary":"Upload a source map","tags":["APM sourcemaps"],"x-codeSamples":[{"lang":"Curl","source":"curl -X POST \"http://localhost:5601/api/apm/sourcemaps\" \\\n-H 'Content-Type: multipart/form-data' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: ApiKey ${YOUR_API_KEY}' \\\n-F 'service_name=\"foo\"' \\\n-F 'service_version=\"1.0.0\"' \\\n-F 'bundle_filepath=\"/test/e2e/general-usecase/bundle.js\"' \\\n-F 'sourcemap=\"{\\\"version\\\":3,\\\"file\\\":\\\"static/js/main.chunk.js\\\",\\\"sources\\\":[\\\"fleet-source-map-client/src/index.css\\\",\\\"fleet-source-map-client/src/App.js\\\",\\\"webpack:///./src/index.css?bb0a\\\",\\\"fleet-source-map-client/src/index.js\\\",\\\"fleet-source-map-client/src/reportWebVitals.js\\\"],\\\"sourcesContent\\\":[\\\"content\\\"],\\\"mappings\\\":\\\"mapping\\\",\\\"sourceRoot\\\":\\\"\\\"}\"' \n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/apm/sourcemaps/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/apm/sourcemaps/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature.\n","operationId":"deleteSourceMap","parameters":[{"$ref":"#/components/parameters/APM_UI_elastic_api_version"},{"$ref":"#/components/parameters/APM_UI_kbn_xsrf"},{"description":"Source map identifier","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_403_response"}}},"description":"Forbidden response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_500_response"}}},"description":"Internal Server Error response"},"501":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/APM_UI_501_response"}}},"description":"Not Implemented response"}},"summary":"Delete source map","tags":["APM sourcemaps"],"x-codeSamples":[{"lang":"Curl","source":"curl -X DELETE \"http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9\" \\\n-H 'Content-Type: application/json' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: ApiKey ${YOUR_API_KEY}'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/asset_criticality":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/asset_criticality\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete the asset criticality record for a specific entity.","operationId":"DeleteAssetCriticalityRecord","parameters":[{"description":"The ID value of the asset.","example":"my_host","in":"query","name":"id_value","required":true,"schema":{"type":"string"}},{"description":"The field representing the ID.","example":"host.name","in":"query","name":"id_field","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IdField"}},{"description":"If 'wait_for' the request will wait for the index refresh.","in":"query","name":"refresh","required":false,"schema":{"enum":["wait_for"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"description":"True if the record was deleted or false if the record did not exist.","type":"boolean"},"record":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord","description":"The deleted record if it existed."}},"required":["deleted"]}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Delete an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/asset_criticality\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the asset criticality record for a specific entity.","operationId":"GetAssetCriticalityRecord","parameters":[{"description":"The ID value of the asset.","example":"my_host","in":"query","name":"id_value","required":true,"schema":{"type":"string"}},{"description":"The field representing the ID.","example":"host.name","in":"query","name":"id_field","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IdField"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord"}}},"description":"Successful response"},"400":{"description":"Invalid request"},"404":{"description":"Criticality record not found"}},"summary":"Get an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/asset_criticality\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate or update an asset criticality record for a specific entity.\n\nIf a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.\n","operationId":"CreateAssetCriticalityRecord","requestBody":{"content":{"application/json":{"schema":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord"},{"type":"object","properties":{"refresh":{"description":"If 'wait_for' the request will wait for the index refresh.","enum":["wait_for"],"type":"string"}}}],"example":{"criticality_level":"high_impact","id_field":"host.name","id_value":"my_host"}}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord"}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Upsert an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/asset_criticality/bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/asset_criticality/bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nBulk upsert up to 1000 asset criticality records.\n\nIf asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.\n","operationId":"BulkUpsertAssetCriticalityRecords","requestBody":{"content":{"application/json":{"schema":{"example":{"records":[{"criticality_level":"low_impact","id_field":"host.name","id_value":"host-1"},{"criticality_level":"medium_impact","id_field":"host.name","id_value":"host-2"}]},"type":"object","properties":{"records":{"items":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts"},{"type":"object","properties":{"criticality_level":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload"}},"required":["criticality_level"]}]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["records"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"example":{"errors":[{"index":0,"message":"Invalid ID field"}],"stats":{"failed":1,"successful":1,"total":2}},"type":"object","properties":{"errors":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem"},"type":"array"},"stats":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats"}},"required":["errors","stats"]}}},"description":"Bulk upload successful"},"413":{"description":"File too large"}},"summary":"Bulk upsert asset criticality records","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/asset_criticality/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/asset_criticality/list\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList asset criticality records, paging, sorting and filtering as needed.","operationId":"FindAssetCriticalityRecords","parameters":[{"description":"The field to sort by.","in":"query","name":"sort_field","required":false,"schema":{"enum":["id_value","id_field","criticality_level","@timestamp"],"type":"string"}},{"description":"The order to sort by.","in":"query","name":"sort_direction","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"integer"}},{"description":"The number of records to return per page.","in":"query","name":"per_page","required":false,"schema":{"maximum":1000,"minimum":1,"type":"integer"}},{"description":"The kuery to filter by.","in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"example":{"page":1,"per_page":10,"records":[{"@timestamp":"2024-08-02T14:40:35.705Z","asset":{"criticality":"medium_impact"},"criticality_level":"medium_impact","host":{"asset":{"criticality":"medium_impact"},"name":"my_other_host"},"id_field":"host.name","id_value":"my_other_host"},{"@timestamp":"2024-08-02T11:15:34.290Z","asset":{"criticality":"high_impact"},"criticality_level":"high_impact","host":{"asset":{"criticality":"high_impact"},"name":"my_host"},"id_field":"host.name","id_value":"my_host"}],"total":2},"type":"object","properties":{"page":{"minimum":1,"type":"integer"},"per_page":{"maximum":1000,"minimum":1,"type":"integer"},"records":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord"},"type":"array"},"total":{"minimum":0,"type":"integer"}},"required":["records","page","per_page","total"]}}},"description":"Successfully retrieved asset criticality records"}},"summary":"List asset criticality records","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/_bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nPerforms bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert.","operationId":"PostAttackDiscoveryBulk","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"update":{"description":"Configuration object containing all parameters for the bulk update operation","type":"object","properties":{"enable_field_rendering":{"default":false,"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`.","example":false,"type":"boolean"},"ids":{"description":"Array of Attack discovery IDs to update","example":["c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"],"items":{"type":"string"},"type":"array"},"kibana_alert_workflow_status":{"description":"When provided, update the kibana.alert.workflow_status of the attack discovery alerts","enum":["open","acknowledged","closed"],"example":"acknowledged","type":"string"},"visibility":{"description":"When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field","enum":["not_shared","shared"],"example":"shared","type":"string"},"with_replacements":{"default":true,"description":"When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`.","example":true,"type":"boolean"}},"required":["ids"]}},"required":["update"]}}},"description":"Bulk update parameters for Attack discoveries","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"description":"Array of updated Attack discovery alert objects. Each item includes the applied modifications from the bulk update request.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"}},"required":["data"]}}},"description":"Successful response containing the updated Attack discovery alerts"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the bulk update request","example":"Invalid request parameters","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Generic Error"}},"summary":"Bulk update Attack discoveries","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\" \\\n --data-raw '{\n   \"update\": {\n     \"ids\": [\n       \"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f\",\n       \"5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7\"\n     ],\n     \"kibana_alert_workflow_status\": \"acknowledged\"\n   }\n }'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFind Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting.","operationId":"AttackDiscoveryFind","parameters":[{"description":"Filter results to Attack discoveries that include any of the provided alert IDs","in":"query","name":"alert_ids","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. \"GPT-5 Chat\", which are distinct from `connector_id` values used to generate Attack discoveries.","in":"query","name":"connector_names","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`.","example":false,"in":"query","name":"enable_field_rendering","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now\", \"now-24h\").","example":"now","in":"query","name":"end","required":false,"schema":{"type":"string"}},{"description":"Filter results to the Attack discoveries with the specified IDs","in":"query","name":"ids","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries","example":false,"in":"query","name":"include_unique_alert_ids","required":false,"schema":{"type":"boolean"}},{"description":"Page number to return (used for pagination). Defaults to 1.","example":1,"in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"Number of Attack discoveries to return per page (used for pagination). Defaults to 10.","example":10,"in":"query","name":"per_page","required":false,"schema":{"default":10,"minimum":1,"type":"integer"}},{"description":"Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.)","example":"","in":"query","name":"search","required":false,"schema":{"type":"string"}},{"description":"Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user.","in":"query","name":"shared","required":false,"schema":{"type":"boolean"}},{"description":"Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values.","example":"@timestamp","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField","default":"@timestamp"}},{"description":"Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`.","example":"desc","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_SortOrder","default":"desc"}},{"description":"Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now-7d\").","example":"now-24h","in":"query","name":"start","required":false,"schema":{"type":"string"}},{"description":"Filter by alert workflow status. Provide one or more of the allowed workflow states.","example":["open","acknowledged"],"in":"query","name":"status","required":false,"schema":{"items":{"enum":["acknowledged","closed","open"],"type":"string"},"type":"array"}},{"description":"When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.","example":true,"in":"query","name":"with_replacements","required":false,"schema":{"default":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"connector_names":{"description":"List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries.","items":{"type":"string"},"type":"array"},"data":{"description":"Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"},"page":{"description":"Current page number of the paginated result set.","type":"integer"},"per_page":{"description":"Number of items requested per page.","type":"integer"},"total":{"description":"Total number of Attack discoveries matching the query (across all pages).","type":"integer"},"unique_alert_ids":{"description":"List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.","items":{"type":"string"},"type":"array"},"unique_alert_ids_count":{"description":"Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.","type":"integer"}},"required":["connector_names","data","page","per_page","total","unique_alert_ids_count"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid request payload.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Generic Error"}},"summary":"Find Attack discoveries that match the search criteria","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now\u0026include_unique_alert_ids=false\u0026page=1\u0026per_page=10\u0026search=\u0026sort_field=%40timestamp\u0026sort_order=desc\u0026start=now-24h\u0026status=open\u0026status=acknowledged' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/_generate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/_generate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nInitiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint.","operationId":"PostAttackDiscoveryGenerate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"execution_uuid":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint.","example":"edd26039-0990-4d9f-9829-2a1fcacb77b5"}},"required":["execution_uuid"]}}},"description":"Attack discovery generation initiated successfully"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong","example":"Invalid request parameters","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Bad request - Invalid input parameters or configuration"}},"summary":"Generate attack discoveries from alerts","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/_generate' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\" \\\n --data '{\n    \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n    \"anonymizationFields\": [\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"@timestamp\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"aKiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.feature\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"saiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.data\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"sqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.entropy\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"s6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.extension\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"tKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.metrics\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"taiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.operation\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"tqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.path\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"t6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.files.score\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"uKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"Ransomware.version\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"uaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"_id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"Z6iJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"agent.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"aaiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"cloud.availability_zone\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"aqiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"cloud.provider\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"a6iJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"cloud.region\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"bKiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"destination.ip\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"baiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"dns.question.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"bqiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"dns.question.type\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"b6iJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"event.category\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"cKiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"event.dataset\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"caiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"event.module\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"cqiJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"event.outcome\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"c6iJW5gB4U27o8XO8oLf\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"file.Ext.original.path\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"dKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"file.hash.sha256\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"daiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"file.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"dqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"file.path\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"d6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"group.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"eKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"group.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"eaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.asset.criticality\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"eqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.name\",\n        \"allowed\": true,\n        \"anonymized\": true,\n        \"namespace\": \"default\",\n        \"id\": \"e6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.os.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"fKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.os.version\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"faiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.risk.calculated_level\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"fqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"host.risk.calculated_score_norm\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"f6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.original_time\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"gKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.risk_score\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"gaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.description\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"gqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"g6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.references\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"hKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.framework\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"haiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.tactic.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"hqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.tactic.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"h6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.tactic.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"iKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"iaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"iqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"i6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.subtechnique.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"jKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.subtechnique.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"jaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.rule.threat.technique.subtechnique.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"jqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.severity\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"j6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"kibana.alert.workflow_status\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"kKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"message\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"kaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"network.protocol\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"kqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.Ext.memory_region.bytes_compressed_present\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"nKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.Ext.memory_region.malware_signature.all_names\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"naiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.Ext.memory_region.malware_signature.primary.matches\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"nqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.Ext.memory_region.malware_signature.primary.signature.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"n6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.Ext.token.integrity_level_name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"oKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.args\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"k6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.code_signature.exists\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"lKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.code_signature.signing_id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"laiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.code_signature.status\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"lqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.code_signature.subject_name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"l6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.code_signature.trusted\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"mKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.command_line\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"maiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.executable\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"mqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.exit_code\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"m6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.hash.md5\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"oaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.hash.sha1\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"oqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.hash.sha256\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"o6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"pKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.args\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"paiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.args_count\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"pqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.code_signature.exists\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"p6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.code_signature.status\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"qKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.code_signature.subject_name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"qaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.code_signature.trusted\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"qqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.command_line\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"q6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.executable\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"rKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.parent.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"raiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.pe.original_file_name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"rqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.pid\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"r6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"process.working_directory\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"sKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"rule.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"uqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"rule.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"u6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"source.ip\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"vKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.framework\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"vaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.tactic.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"vqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.tactic.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"v6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.tactic.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"wKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"waiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"wqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"w6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.subtechnique.id\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"xKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.subtechnique.name\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"xaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"threat.technique.subtechnique.reference\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"xqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.asset.criticality\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"x6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.domain\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"yKiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.name\",\n        \"allowed\": true,\n        \"anonymized\": true,\n        \"namespace\": \"default\",\n        \"id\": \"yaiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.risk.calculated_level\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"yqiJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.risk.calculated_score_norm\",\n        \"allowed\": true,\n        \"anonymized\": false,\n        \"namespace\": \"default\",\n        \"id\": \"y6iJW5gB4U27o8XO8oLg\"\n      },\n      {\n        \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n        \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n        \"field\": \"user.target.name\",\n        \"allowed\": true,\n        \"anonymized\": true,\n        \"namespace\": \"default\",\n        \"id\": \"zKiJW5gB4U27o8XO8oLg\"\n      }\n    ],\n    \"replacements\": {},\n    \"size\": 100,\n    \"subAction\": \"invokeAI\",\n    \"apiConfig\": {\n      \"connectorId\": \"example-connector-id\",\n      \"actionTypeId\": \".gen-ai\"\n    },\n    \"connectorName\": \"GPT-5 Chat\",\n    \"end\": \"now\",\n    \"start\": \"now-24h\"\n  }'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/generations":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/generations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the latest attack discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack discovery generations.","operationId":"GetAttackDiscoveryGenerations","parameters":[{"description":"End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now\", \"now-24h\").","example":"now","in":"query","name":"end","required":false,"schema":{"type":"string"}},{"description":"The maximum number of generations to retrieve","example":50,"in":"query","name":"size","required":false,"schema":{"default":50,"minimum":1,"type":"number"}},{"description":"Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now-7d\").","example":"now-24h","in":"query","name":"start","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"generations":{"description":"List of attack discovery generations","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration"},"type":"array"}},"required":["generations"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid size parameter. Must be a positive number.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Bad request"}},"summary":"Get the latest attack discovery generations metadata for the current user","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50\u0026start=now-24h\u0026end=now' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/generations/{execution_uuid}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/generations/{execution_uuid}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nReturns a specific Attack discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics.","operationId":"GetAttackDiscoveryGeneration","parameters":[{"description":"The unique identifier for the Attack discovery generation execution. This UUID is returned at the start of an Attack discovery generation.","example":"2e13f386-46cf-4d65-9e2b-68609e132ba5","in":"path","name":"execution_uuid","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}},{"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`.","example":false,"in":"query","name":"enable_field_rendering","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.","example":true,"in":"query","name":"with_replacements","required":false,"schema":{"default":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"description":"Array of Attack discoveries generated during this execution.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"},"generation":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration","description":"Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations."}},"required":["data"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the request","example":"Invalid request parameters","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Generic Error"}},"summary":"Get a single Attack discovery generation, including its discoveries and (optional) generation metadata","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/generations/{execution_uuid}/_dismiss":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDismisses an attack discovery generation for the current user, indicating that it's status should not be reported in the UI. This sets the generation's status to \"dismissed\" and affects how the generation appears in subsequent queries.","operationId":"PostAttackDiscoveryGenerationsDismiss","parameters":[{"description":"The unique identifier for the Attack discovery generation execution. This UUID is returned when an attack discovery generation is created and can be found in generation responses.","example":"46b218d5-535d-4329-be56-d0f6af6986b7","in":"path","name":"execution_uuid","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"alerts_context_count":{"description":"The number of alerts that were sent as context to the LLM for this generation.","example":75,"type":"number"},"connector_id":{"description":"The unique identifier of the connector used to generate the attack discoveries.","example":"chatGpt5_0ChatAzure","type":"string"},"connector_stats":{"description":"Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates.","type":"object","properties":{"average_successful_duration_nanoseconds":{"description":"The average duration in nanoseconds for successful generations using this connector by the current user.","example":47958500000,"type":"number"},"successful_generations":{"description":"The total number of Attack discoveries successfully created for this generation","example":2,"type":"number"}}},"discoveries":{"description":"The number of attack discoveries that were generated during this execution.","example":3,"type":"number"},"end":{"description":"The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished.","example":"2025-09-29T06:42:44.810Z","type":"string"},"execution_uuid":{"description":"The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls.","example":"46b218d5-535d-4329-be56-d0f6af6986b7","type":"string"},"loading_message":{"description":"A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing.","example":"AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.","type":"string"},"reason":{"description":"Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process.","example":"Connection timeout to AI service","type":"string"},"start":{"description":"The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis.","example":"2025-09-29T06:42:08.962Z","type":"string"},"status":{"description":"The current status of the attack discovery generation. After dismissing, this will be set to \"dismissed\".","enum":["canceled","dismissed","failed","started","succeeded"],"example":"dismissed","type":"string"}},"required":["connector_id","discoveries","execution_uuid","loading_message","start","status"]}}},"description":"Successful response - The attack discovery generation has been dismissed"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type or category","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the request.","example":"Invalid request parameters","type":"string"},"status_code":{"description":"HTTP status code indicating the type of client error","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Generic Error"}},"summary":"Dismiss an attack discovery generation","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/schedules":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreates a new Attack discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found.","operationId":"CreateAttackDiscoverySchedules","requestBody":{"content":{"application/json":{"example":{"actions":[],"enabled":true,"name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"}},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps"}}},"description":"Attack discovery schedule configuration including name, parameters, schedule interval, and actions","required":true},"responses":{"200":{"content":{"application/json":{"example":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"},"updated_at":"2023-10-31T10:00:00.000Z","updated_by":"elastic"},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"Successfully created Attack discovery schedule"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Create Attack discovery schedule","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Create an Attack discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/schedules' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\" \\\n --data '{\n   \"name\": \"Daily Security Analysis\",\n   \"enabled\": true,\n   \"params\": {\n     \"alerts_index_pattern\": \".alerts-security.alerts-default\",\n     \"api_config\": {\n       \"actionTypeId\": \"bedrock\",\n       \"connectorId\": \"my-bedrock-connector\",\n       \"name\": \"Claude 3.5 Sonnet\"\n     },\n     \"size\": 100,\n     \"start\": \"now-24h\",\n     \"end\": \"now\"\n   },\n   \"schedule\": {\n     \"interval\": \"24h\"\n   },\n   \"actions\": [\n      {\n         \"action_type_id\": \".cases\",\n         \"id\": \"system-connector-.cases\",\n         \"params\": {\n           \"subAction\": \"run\",\n           \"subActionParams\": {\n             \"timeWindow\": \"7d\",\n             \"reopenClosedCases\": false,\n             \"groupingBy\": [],\n             \"templateId\": null\n           }\n         },\n         \"uuid\": \"12345678-1234-1234-1234-123456789012\"\n       }\n   ]\n }'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/schedules/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFinds Attack discovery schedules that match the search criteria. Supports pagination and sorting by various fields.","operationId":"FindAttackDiscoverySchedules","parameters":[{"description":"Page number to return (used for pagination). Defaults to 1.","example":1,"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"description":"Number of Attack discovery schedules to return per page (used for pagination). Defaults to 10.","example":10,"in":"query","name":"per_page","required":false,"schema":{"type":"number"}},{"description":"Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.","example":"name","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}},{"description":"Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.","example":"asc","in":"query","name":"sort_direction","required":false,"schema":{"enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"description":"Array of matched Attack discovery schedule objects.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"},"type":"array"},"page":{"description":"Current page number of the paginated result set.","type":"number"},"per_page":{"description":"Number of items requested per page.","type":"number"},"total":{"description":"Total number of Attack discovery schedules matching the query (across all pages).","type":"number"}},"required":["page","per_page","total","data"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid request payload","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Generic Error"}},"summary":"Finds Attack discovery schedules that match the search criteria","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/schedules/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nPermanently deletes an Attack discovery schedule and all associated configuration.","operationId":"DeleteAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"id":"12345678-1234-1234-1234-123456789012"},"schema":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the deleted Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Delete Attack discovery schedule","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Delete an Attack discovery schedule","lang":"curl","source":"curl \\\n --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieves a specific Attack discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history.","operationId":"GetAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","last_execution":{"date":"2023-10-31T10:00:00.000Z","last_duration":45.2,"status":"ok"},"name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"},"updated_at":"2023-10-31T10:00:00.000Z","updated_by":"elastic"},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"Successfully retrieved Attack Discovery schedule with complete configuration and metadata"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Get Attack discovery schedule by ID","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Get an Attack discovery schedule by ID","lang":"curl","source":"curl \\\n --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdates an existing Attack discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values.","operationId":"UpdateAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"requestBody":{"content":{"application/json":{"example":{"actions":[],"name":"Updated Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":200,"start":"now-48h"},"schedule":{"interval":"12h"}},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps"}}},"description":"Updated Attack discovery schedule configuration. All fields are required as this replaces the entire schedule configuration.","required":true},"responses":{"200":{"content":{"application/json":{"example":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","name":"Updated Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":200,"start":"now-48h"},"schedule":{"interval":"12h"},"updated_at":"2023-10-31T12:00:00.000Z","updated_by":"elastic"},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"Successfully updated Attack Discovery schedule with the new configuration and metadata"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Update Attack discovery schedule","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Update an Attack discovery schedule","lang":"curl","source":"curl \\\n --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\" \\\n --data '{\n   \"name\": \"Updated Daily Security Analysis\",\n   \"params\": {\n     \"alerts_index_pattern\": \".alerts-security.alerts-default\",\n     \"api_config\": {\n       \"actionTypeId\": \"bedrock\",\n       \"connectorId\": \"my-bedrock-connector\",\n       \"name\": \"Claude 3.5 Sonnet\"\n     },\n     \"size\": 200,\n     \"start\": \"now-48h\",\n     \"end\": \"now\"\n   },\n   \"schedule\": {\n     \"interval\": \"12h\"\n   },\n   \"actions\": []\n }'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/schedules/{id}/_disable":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/{id}/_disable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDisables an Attack discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started.","operationId":"DisableAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"id":"12345678-1234-1234-1234-123456789012"},"schema":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the disabled Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Disable Attack discovery schedule","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Disable an Attack discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/attack_discovery/schedules/{id}/_enable":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/attack_discovery/schedules/{id}/_enable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nEnables a previously disabled Attack discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration.","operationId":"EnableAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"id":"12345678-1234-1234-1234-123456789012"},"schema":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the enabled Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","status_code":400},"schema":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Generic Error"}},"summary":"Enable Attack discovery schedule","tags":["Security Attack discovery API"],"x-code-samples":[{"label":"Enable an Attack discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application/json\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.\n","operationId":"deleteCaseDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_ids"}],"responses":{"204":{"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Delete cases","tags":["cases"],"x-code-samples":[{"label":"curl","lang":"curl","source":"curl \\\n  --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \\\n  --header \"Authorization: $API_KEY\" \\\n  --header \"Content-Type: application/json\"\n  --header \"kbn-xsrf: true\"\n"},{"label":"Console","lang":"console","source":"DELETE kbn:/api/cases?ids=[\"030e6e34-6470-4001-864f-b229511ad188\",\"e662ff34-0493-4538-b9d1-6706ced02ff2\"]\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Cases** feature in the  **Management**, **Observability**, or **Security** section of the Kibana  feature privileges, depending on the owner of the case you're updating.\n","operationId":"updateCaseDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"updateCaseRequest":{"$ref":"#/components/examples/Cases_update_case_request"}},"schema":{"$ref":"#/components/schemas/Cases_update_case_request"}}}},"responses":{"200":{"content":{"application/json":{"examples":{"updateCaseResponse":{"$ref":"#/components/examples/Cases_update_case_response"}},"schema":{"items":{"$ref":"#/components/schemas/Cases_case_response_properties"},"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Update cases","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana  feature privileges, depending on the owner of the case you're creating.\n","operationId":"createCaseDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"createCaseRequest":{"$ref":"#/components/examples/Cases_create_case_request"}},"schema":{"$ref":"#/components/schemas/Cases_create_case_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"createCaseResponse":{"$ref":"#/components/examples/Cases_create_case_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Create a case","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n","operationId":"findCasesDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_assignees_filter"},{"$ref":"#/components/parameters/Cases_category"},{"$ref":"#/components/parameters/Cases_defaultSearchOperator"},{"$ref":"#/components/parameters/Cases_from"},{"$ref":"#/components/parameters/Cases_owner_filter"},{"$ref":"#/components/parameters/Cases_page_index"},{"$ref":"#/components/parameters/Cases_page_size"},{"$ref":"#/components/parameters/Cases_reporters"},{"$ref":"#/components/parameters/Cases_search"},{"$ref":"#/components/parameters/Cases_searchFields"},{"$ref":"#/components/parameters/Cases_severity"},{"$ref":"#/components/parameters/Cases_sortField"},{"$ref":"#/components/parameters/Cases_sort_order"},{"$ref":"#/components/parameters/Cases_status"},{"$ref":"#/components/parameters/Cases_tags"},{"$ref":"#/components/parameters/Cases_to"}],"responses":{"200":{"content":{"application/json":{"examples":{"findCaseResponse":{"$ref":"#/components/examples/Cases_find_case_response"}},"schema":{"type":"object","properties":{"cases":{"items":{"$ref":"#/components/schemas/Cases_case_response_properties"},"maxItems":10000,"type":"array"},"count_closed_cases":{"type":"integer"},"count_in_progress_cases":{"type":"integer"},"count_open_cases":{"type":"integer"},"page":{"type":"integer"},"per_page":{"type":"integer"},"total":{"type":"integer"}}}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Search cases","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking.\n","operationId":"getCaseDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_includeComments"}],"responses":{"200":{"content":{"application/json":{"examples":{"getDefaultCaseResponse":{"$ref":"#/components/examples/Cases_get_case_response"},"getDefaultObservabilityCaseReponse":{"$ref":"#/components/examples/Cases_get_case_observability_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get case information","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/alerts":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/alerts\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n","operationId":"getCaseAlertsDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"}],"responses":{"200":{"content":{"application/json":{"examples":{"getCaseAlertsResponse":{"$ref":"#/components/examples/Cases_get_case_alerts_response"}},"schema":{"items":{"$ref":"#/components/schemas/Cases_alert_response_properties"},"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get all alerts for a case","tags":["cases"],"x-state":"Technical preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/comments":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDeletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.\n","operationId":"deleteCaseCommentsDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_case_id"}],"responses":{"204":{"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Delete all case comments and alerts","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.\n","operationId":"updateCaseCommentDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_case_id"}],"requestBody":{"content":{"application/json":{"examples":{"updateCaseCommentRequest":{"$ref":"#/components/examples/Cases_update_comment_request"}},"schema":{"$ref":"#/components/schemas/Cases_update_case_comment_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"updateCaseCommentResponse":{"$ref":"#/components/examples/Cases_update_comment_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Update a case comment or alert","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.\n","operationId":"addCaseCommentDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_case_id"}],"requestBody":{"content":{"application/json":{"examples":{"createCaseCommentRequest":{"$ref":"#/components/examples/Cases_add_comment_request"}},"schema":{"$ref":"#/components/schemas/Cases_add_case_comment_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"createCaseCommentResponse":{"$ref":"#/components/examples/Cases_add_comment_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Add a case comment or alert","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/comments/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.\n","operationId":"findCaseCommentsDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_page_index"},{"$ref":"#/components/parameters/Cases_page_size"},{"$ref":"#/components/parameters/Cases_sort_order"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Find case comments and alerts","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/comments/{commentId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments/{commentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.\n","operationId":"deleteCaseCommentDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_comment_id"}],"responses":{"204":{"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Delete a case comment or alert","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/comments/{commentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.\n","operationId":"getCaseCommentDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_comment_id"}],"responses":{"200":{"content":{"application/json":{"examples":{"getCaseCommentResponse":{"$ref":"#/components/examples/Cases_get_comment_response"}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_alert_comment_response_properties"},{"$ref":"#/components/schemas/Cases_user_comment_response_properties"}]}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get a case comment or alert","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/connector/{connectorId}/_push":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing.\n","operationId":"pushCaseDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_connector_id"},{"$ref":"#/components/parameters/Cases_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"schema":{"nullable":true,"type":"object"}}}},"responses":{"200":{"content":{"application/json":{"examples":{"pushCaseResponse":{"$ref":"#/components/examples/Cases_push_case_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Push a case to an external service","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/files":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/files\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAttach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:\n- The `Content-Type: multipart/form-data` HTTP header.\n- The location of the file that is being uploaded.\n","operationId":"addCaseFileDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_case_id"}],"requestBody":{"content":{"multipart/form-data":{"schema":{"$ref":"#/components/schemas/Cases_add_case_file_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"addCaseFileResponse":{"$ref":"#/components/examples/Cases_add_comment_response"}},"schema":{"$ref":"#/components/schemas/Cases_case_response_properties"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Attach a file to a case","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/{caseId}/user_actions/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/{caseId}/user_actions/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrives a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking.\n","operationId":"findCaseActivityDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_case_id"},{"$ref":"#/components/parameters/Cases_page_index"},{"$ref":"#/components/parameters/Cases_page_size"},{"$ref":"#/components/parameters/Cases_sort_order"},{"$ref":"#/components/parameters/Cases_user_action_types"}],"responses":{"200":{"content":{"application/json":{"examples":{"findCaseActivityResponse":{"$ref":"#/components/examples/Cases_find_case_activity_response"}},"schema":{"type":"object","properties":{"page":{"type":"integer"},"perPage":{"type":"integer"},"total":{"type":"integer"},"userActions":{"items":{"$ref":"#/components/schemas/Cases_user_actions_find_response_properties"},"maxItems":10000,"type":"array"}}}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Find case activity","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/alerts/{alertId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/alerts/{alertId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n","operationId":"getCasesByAlertDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_alert_id"},{"$ref":"#/components/parameters/Cases_owner_filter"}],"responses":{"200":{"content":{"application/json":{"schema":{"example":[{"id":"06116b80-e1c3-11ec-be9b-9b1838238ee6","title":"security_case"}],"items":{"type":"object","properties":{"id":{"description":"The case identifier.","type":"string"},"title":{"description":"The case title.","type":"string"}}},"maxItems":10000,"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get cases for an alert","tags":["cases"],"x-state":"Technical preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/configure":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/configure\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created.\n","operationId":"getCaseConfigurationDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_owner_filter"}],"responses":{"200":{"content":{"application/json":{"examples":{"getConfigurationResponse":{"$ref":"#/components/examples/Cases_get_case_configuration_response"}},"schema":{"items":{"type":"object","properties":{"closure_type":{"$ref":"#/components/schemas/Cases_closure_types"},"connector":{"type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}},"created_at":{"example":"2022-06-01T17:07:17.767Z","format":"date-time","type":"string"},"created_by":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"customFields":{"description":"Custom fields configuration details.","items":{"type":"object","properties":{"defaultValue":{"description":"A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]},"key":{"description":"A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.\n","maxLength":36,"minLength":1,"type":"string"},"label":{"description":"The custom field label that is displayed in the case.","maxLength":50,"minLength":1,"type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"required":{"description":"Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.\n","type":"boolean"}}},"type":"array"},"error":{"example":null,"nullable":true,"type":"string"},"id":{"example":"4a97a440-e1cd-11ec-be9b-9b1838238ee6","type":"string"},"mappings":{"items":{"type":"object","properties":{"action_type":{"example":"overwrite","type":"string"},"source":{"example":"title","type":"string"},"target":{"example":"summary","type":"string"}}},"type":"array"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"templates":{"$ref":"#/components/schemas/Cases_templates"},"updated_at":{"example":"2022-06-01T19:58:48.169Z","format":"date-time","nullable":true,"type":"string"},"updated_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"version":{"example":"WzIwNzMsMV0=","type":"string"}}},"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get case settings","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/configure\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCase settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases.\n","operationId":"setCaseConfigurationDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"setCaseConfigRequest":{"$ref":"#/components/examples/Cases_set_case_configuration_request"}},"schema":{"$ref":"#/components/schemas/Cases_set_case_configuration_request"}}}},"responses":{"200":{"content":{"application/json":{"examples":{"setCaseConfigResponse":{"$ref":"#/components/examples/Cases_set_case_configuration_response"}},"schema":{"type":"object","properties":{"closure_type":{"$ref":"#/components/schemas/Cases_closure_types"},"connector":{"type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}},"created_at":{"example":"2022-06-01T17:07:17.767Z","format":"date-time","type":"string"},"created_by":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"customFields":{"description":"Custom fields configuration details.","items":{"type":"object","properties":{"defaultValue":{"description":"A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]},"key":{"description":"A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.\n","maxLength":36,"minLength":1,"type":"string"},"label":{"description":"The custom field label that is displayed in the case.","maxLength":50,"minLength":1,"type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"required":{"description":"Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.\n","type":"boolean"}}},"type":"array"},"error":{"example":null,"nullable":true,"type":"string"},"id":{"example":"4a97a440-e1cd-11ec-be9b-9b1838238ee6","type":"string"},"mappings":{"items":{"type":"object","properties":{"action_type":{"example":"overwrite","type":"string"},"source":{"example":"title","type":"string"},"target":{"example":"summary","type":"string"}}},"type":"array"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"templates":{"$ref":"#/components/schemas/Cases_templates"},"updated_at":{"example":"2022-06-01T19:58:48.169Z","format":"date-time","nullable":true,"type":"string"},"updated_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"version":{"example":"WzIwNzMsMV0=","type":"string"}}}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Add case settings","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/configure/{configurationId}":{"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/configure/{configurationId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created.\n","operationId":"updateCaseConfigurationDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_kbn_xsrf"},{"$ref":"#/components/parameters/Cases_configuration_id"}],"requestBody":{"content":{"application/json":{"examples":{"updateCaseConfigurationRequest":{"$ref":"#/components/examples/Cases_update_case_configuration_request"}},"schema":{"$ref":"#/components/schemas/Cases_update_case_configuration_request"}}}},"responses":{"200":{"content":{"application/json":{"examples":{"updateCaseConfigurationResponse":{"$ref":"#/components/examples/Cases_update_case_configuration_response"}},"schema":{"type":"object","properties":{"closure_type":{"$ref":"#/components/schemas/Cases_closure_types"},"connector":{"type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}},"created_at":{"example":"2022-06-01T17:07:17.767Z","format":"date-time","type":"string"},"created_by":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"customFields":{"description":"Custom fields configuration details.","items":{"type":"object","properties":{"defaultValue":{"description":"A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]},"key":{"description":"A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.\n","maxLength":36,"minLength":1,"type":"string"},"label":{"description":"The custom field label that is displayed in the case.","maxLength":50,"minLength":1,"type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"required":{"description":"Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.\n","type":"boolean"}}},"type":"array"},"error":{"example":null,"nullable":true,"type":"string"},"id":{"example":"4a97a440-e1cd-11ec-be9b-9b1838238ee6","type":"string"},"mappings":{"items":{"type":"object","properties":{"action_type":{"example":"overwrite","type":"string"},"source":{"example":"title","type":"string"},"target":{"example":"summary","type":"string"}}},"type":"array"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"templates":{"$ref":"#/components/schemas/Cases_templates"},"updated_at":{"example":"2022-06-01T19:58:48.169Z","format":"date-time","nullable":true,"type":"string"},"updated_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"version":{"example":"WzIwNzMsMV0=","type":"string"}}}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Update case settings","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/configure/connectors/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/configure/connectors/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges.\n","operationId":"findCaseConnectorsDefaultSpace","responses":{"200":{"content":{"application/json":{"examples":{"findConnectorResponse":{"$ref":"#/components/examples/Cases_find_connector_response"}},"schema":{"items":{"type":"object","properties":{"actionTypeId":{"$ref":"#/components/schemas/Cases_connector_types"},"config":{"additionalProperties":true,"type":"object","properties":{"apiUrl":{"type":"string"},"projectKey":{"type":"string"}}},"id":{"type":"string"},"isDeprecated":{"type":"boolean"},"isMissingSecrets":{"type":"boolean"},"isPreconfigured":{"type":"boolean"},"name":{"type":"string"},"referencedByCount":{"type":"integer"}}},"maxItems":1000,"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get case connectors","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/reporters":{"get":{"description":"Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.\n","operationId":"getCaseReportersDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_owner_filter"}],"responses":{"200":{"content":{"application/json":{"examples":{"getReportersResponse":{"$ref":"#/components/examples/Cases_get_reporters_response"}},"schema":{"items":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"maxItems":10000,"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get case creators","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/cases/tags":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/cases/tags\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n","operationId":"getCaseTagsDefaultSpace","parameters":[{"$ref":"#/components/parameters/Cases_owner_filter"}],"responses":{"200":{"content":{"application/json":{"examples":{"getTagsResponse":{"$ref":"#/components/examples/Cases_get_tags_response"}},"schema":{"items":{"type":"string"},"maxItems":10000,"type":"array"}}},"description":"Indicates a successful call."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Cases_4xx_response"}}},"description":"Authorization information is missing or invalid."}},"summary":"Get case tags","tags":["cases"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/data_views":{"get":{"operationId":"getAllDataViewsDefault","responses":{"200":{"content":{"application/json":{"examples":{"getAllDataViewsResponse":{"$ref":"#/components/examples/Data_views_get_data_views_response"}},"schema":{"type":"object","properties":{"data_view":{"items":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"type":"array"},"title":{"type":"string"},"typeMeta":{"type":"object"}}},"type":"array"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Get all data views","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/data_view":{"post":{"operationId":"createDataViewDefaultw","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"createDataViewRequest":{"$ref":"#/components/examples/Data_views_create_data_view_request"}},"schema":{"$ref":"#/components/schemas/Data_views_create_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Create a data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/data_view/{viewId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nWARNING: When you delete a data view, it cannot be recovered.\n","operationId":"deleteDataViewDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"},{"$ref":"#/components/parameters/Data_views_view_id"}],"responses":{"204":{"description":"Indicates a successful call."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Delete a data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"getDataViewDefault","parameters":[{"$ref":"#/components/parameters/Data_views_view_id"}],"responses":{"200":{"content":{"application/json":{"examples":{"getDataViewResponse":{"$ref":"#/components/examples/Data_views_get_data_view_response"}},"schema":{"$ref":"#/components/schemas/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Get a data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"updateDataViewDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"},{"$ref":"#/components/parameters/Data_views_view_id"}],"requestBody":{"content":{"application/json":{"examples":{"updateDataViewRequest":{"$ref":"#/components/examples/Data_views_update_data_view_request"}},"schema":{"$ref":"#/components/schemas/Data_views_update_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update a data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/data_view/{viewId}/fields":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/fields\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate fields presentation metadata such as count, customLabel, customDescription, and format.\n","operationId":"updateFieldsMetadataDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"},{"$ref":"#/components/parameters/Data_views_view_id"}],"requestBody":{"content":{"application/json":{"examples":{"updateFieldsMetadataRequest":{"$ref":"#/components/examples/Data_views_update_field_metadata_request"}},"schema":{"type":"object","properties":{"fields":{"description":"The field object.","type":"object"}},"required":["fields"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update data view fields metadata","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/data_views/data_view/{viewId}/runtime_field":{"post":{"operationId":"createRuntimeFieldDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"},{"$ref":"#/components/parameters/Data_views_view_id"}],"requestBody":{"content":{"application/json":{"examples":{"createRuntimeFieldRequest":{"$ref":"#/components/examples/Data_views_create_runtime_field_request"}},"schema":{"type":"object","properties":{"name":{"description":"The name for a runtime field.\n","type":"string"},"runtimeField":{"description":"The runtime field definition object.\n","type":"object"}},"required":["name","runtimeField"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."}},"summary":"Create a runtime field","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/runtime_field\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"operationId":"createUpdateRuntimeFieldDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"},{"description":"The ID of the data view fields you want to update.\n","in":"path","name":"viewId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"updateRuntimeFieldRequest":{"$ref":"#/components/examples/Data_views_create_runtime_field_request"}},"schema":{"type":"object","properties":{"name":{"description":"The name for a runtime field.\n","type":"string"},"runtimeField":{"description":"The runtime field definition object.\n","type":"object"}},"required":["name","runtimeField"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data_view":{"type":"object"},"fields":{"items":{"type":"object"},"type":"array"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Create or update a runtime field","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/runtime_field\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/data_view/{viewId}/runtime_field/{fieldName}":{"delete":{"operationId":"deleteRuntimeFieldDefault","parameters":[{"$ref":"#/components/parameters/Data_views_field_name"},{"$ref":"#/components/parameters/Data_views_view_id"}],"responses":{"200":{"description":"Indicates a successful call."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Delete a runtime field from a data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"getRuntimeFieldDefault","parameters":[{"$ref":"#/components/parameters/Data_views_field_name"},{"$ref":"#/components/parameters/Data_views_view_id"}],"responses":{"200":{"content":{"application/json":{"examples":{"getRuntimeFieldResponse":{"$ref":"#/components/examples/Data_views_get_runtime_field_response"}},"schema":{"type":"object","properties":{"data_view":{"type":"object"},"fields":{"items":{"type":"object"},"type":"array"}}}}},"description":"Indicates a successful call."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Get a runtime field","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"updateRuntimeFieldDefault","parameters":[{"$ref":"#/components/parameters/Data_views_field_name"},{"$ref":"#/components/parameters/Data_views_view_id"}],"requestBody":{"content":{"application/json":{"examples":{"updateRuntimeFieldRequest":{"$ref":"#/components/examples/Data_views_update_runtime_field_request"}},"schema":{"type":"object","properties":{"runtimeField":{"description":"The runtime field definition object.\n\nYou can update following fields:\n\n- `type`\n- `script`\n","type":"object"}},"required":["runtimeField"]}}},"required":true},"responses":{"200":{"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update a runtime field","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/default":{"get":{"operationId":"getDefaultDataViewDefault","responses":{"200":{"content":{"application/json":{"examples":{"getDefaultDataViewResponse":{"$ref":"#/components/examples/Data_views_get_default_data_view_response"}},"schema":{"type":"object","properties":{"data_view_id":{"type":"string"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Get the default data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/default\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"setDefaultDatailViewDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"setDefaultDataViewRequest":{"$ref":"#/components/examples/Data_views_set_default_data_view_request"}},"schema":{"type":"object","properties":{"data_view_id":{"description":"The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view.\n","nullable":true,"type":"string"},"force":{"default":false,"description":"Update an existing default data view identifier.","type":"boolean"}},"required":["data_view_id"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Set the default data view","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/default\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/data_views/swap_references":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/swap_references\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nChanges saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.\n","operationId":"swapDataViewsDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"swapDataViewRequest":{"$ref":"#/components/examples/Data_views_swap_data_view_request"}},"schema":{"$ref":"#/components/schemas/Data_views_swap_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"deleteStatus":{"type":"object","properties":{"deletePerformed":{"type":"boolean"},"remainingRefs":{"type":"integer"}}},"result":{"items":{"type":"object","properties":{"id":{"description":"A saved object identifier.","type":"string"},"type":{"description":"The saved object type.","type":"string"}}},"type":"array"}}}}},"description":"Indicates a successful call."}},"summary":"Swap saved object references","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/data_views/swap_references/_preview":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/data_views/swap_references/_preview\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nPreview the impact of swapping saved object references from one data view identifier to another.\n","operationId":"previewSwapDataViewsDefault","parameters":[{"$ref":"#/components/parameters/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"examples":{"previewSwapDataViewRequest":{"$ref":"#/components/examples/Data_views_preview_swap_data_view_request"}},"schema":{"$ref":"#/components/schemas/Data_views_swap_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"result":{"items":{"type":"object","properties":{"id":{"description":"A saved object identifier.","type":"string"},"type":{"description":"The saved object type.","type":"string"}}},"type":"array"}}}}},"description":"Indicates a successful call."}},"summary":"Preview a saved object reference swap","tags":["data views"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/index":{"delete":{"operationId":"DeleteAlertsIndex","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Not enough permissions response"},"404":{"content":{"application/json":{"schema":{"type":"string"}}},"description":"Index does not exist response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete an alerts index","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"ReadAlertsIndex","responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"index_mapping_outdated":false,"name":".alerts-security.alerts-default"}}},"schema":{"type":"object","properties":{"index_mapping_outdated":{"nullable":true,"type":"boolean"},"name":{"type":"string"}},"required":["name","index_mapping_outdated"]}}},"description":"Successful response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Not enough permissions response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Reads the alert index name if it exists","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"CreateAlertsIndex","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Not enough permissions response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create an alerts index","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/detection_engine/privileges":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/privileges\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieves whether or not the user is authenticated, and the user's Kibana\nspace and index privileges, which determine if the user can create an\nindex for the Elastic Security alerts generated by\ndetection engine rules.\n","operationId":"ReadPrivileges","responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"has_encryption_key":true,"index":{".alerts-security.alerts-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"is_authenticated":true,"username":"elastic"}}},"schema":{"type":"object","properties":{"has_encryption_key":{"type":"boolean"},"is_authenticated":{"type":"boolean"}},"required":["is_authenticated","has_encryption_key"]}}},"description":"Successful response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Returns user privileges for the Kibana space","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a detection rule using the `rule_id` or `id` field.\n\nThe URL query must include one of the following:\n\n* `id` - `DELETE /api/detection_engine/rules?id=\u003cid\u003e`\n* `rule_id`- `DELETE /api/detection_engine/rules?rule_id=\u003crule_id\u003e`\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n","operationId":"DeleteRule","parameters":[{"description":"The rule's `id` value.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_UUID"}},{"description":"The rule's `rule_id` value.","in":"query","name":"rule_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Delete a detection rule","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl \\\n  --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \\\n  --header \"Content-Type: application/json; Elastic-Api-Version=2023-10-31\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a detection rule using the `rule_id` or `id` field.\n\nThe URL query must include one of the following:\n\n* `id` - `GET /api/detection_engine/rules?id=\u003cid\u003e`\n* `rule_id` - `GET /api/detection_engine/rules?rule_id=\u003crule_id\u003e`\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n","operationId":"ReadRule","parameters":[{"description":"The rule's `id` value.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_UUID"}},{"description":"The rule's `rule_id` value.","in":"query","name":"rule_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"}}],"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"summary":"Example response for a retrieved rule","value":{"created_at":"2020-02-03T11:19:04.259Z","created_by":"elastic","description":"Process started by MS Office program in user folder","enabled":false,"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-4200s","id":"c41d170b-8ba6-4de6-b8ec-76440a35ace3","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":21,"rule_id":"process_started_by_ms_office_user_folder","setup":"","severity":"low","tags":["child process","ms office"],"threat":[{"framework":"MITRE ATT\u0026CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https://attack.mitre.org/techniques/T1193"}]}],"to":"now-300s","type":"query","updated_at":"2020-02-03T11:19:04.462Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call.\n\u003e info\n\u003e These fields are under development and their usage or schema may change: execution_summary.\n"}},"summary":"Retrieve a detection rule","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl \\\n  --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \\\n  --header \"Content-Type: application/json; Elastic-Api-Version=2023-10-31\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate specific fields of an existing detection rule using the `rule_id` or `id` field.\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n\u003e warn\n\u003e When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n\u003e If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"PatchRule","requestBody":{"content":{"application/json":{"examples":{"example1":{"summary":"Patch query rule","value":{"id":"14b7b513-3d8d-4b22-b7da-a7ae632f7e76","name":"New name"}},"example2":{"summary":"Patch EQL rule","value":{"rule_id":"process_started_by_ms_office_program_possible_payload","threat":[{"framework":"MITRE ATT\u0026CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https://attack.mitre.org/tactics/TA0001"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https://attack.mitre.org/techniques/T1193"}]}]}},"example3":{"summary":"Patch threshold rule","value":{"id":"005d2c4f-51ca-493d-a2bd-20ef076339b1","query":"agent.version : * and agent.id : \"243d9b4f-ca01-4311-8e5c-9abbee91afd8\"","threshold":{"cardinality":[],"field":[],"value":600}}},"example4":{"summary":"Patch new terms rule","value":{"history_window_start":"now-3d","id":"569aac91-40dc-4807-a8ae-a2c8698089c4","new_terms_fields":["Endpoint.policy.applied.artifacts.global.identifiers.name"]}},"example5":{"summary":"Patch esql rule","value":{"id":"0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd","query":"FROM logs-abc*\n| STATS count = COUNT(*), min_timestamp = MIN(@timestamp)\n| EVAL event_rate = count / DATE_DIFF(\"seconds\", min_timestamp, NOW()) \n| KEEP event_rate\n"}},"example6":{"summary":"Patch indicator match rule","value":{"id":"462f1986-10fe-40a3-a22c-2b1c9c4c48fd","threat_query":"@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"false\""}},"example7":{"summary":"Patch machine learning rule","value":{"anomaly_threshold":50,"id":"60b13926-289b-41b1-a537-197ef1fa5059","machine_learning_job_id":["auth_high_count_logon_events"]}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RulePatchProps"}}},"description":"\u003e info\n\u003e You cannot modify the `id` or `rule_id` values.\n","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"summary":"Example response for an updated rule","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Updated description for the rule.","enabled":false,"false_positives":[],"filters":[{"query":null}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"Updated Rule Name","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365"}],"required_fields":[{"name":"process.parent.name"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Patch a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new detection rule.\n\u003e warn\n\u003e When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n\u003e If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n\nYou can create the following types of rules:\n\n* **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query.\n* **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query.\n* **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value.\n  For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information.\n* **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html).\n* **New terms**: Generates an alert for each new term detected in source documents within a specified time range.\n* **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results.\n* **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold.\n\u003e info\n\u003e To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running.\n\nTo retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules:\n\n```json\n...\n\"job_id\": \"linux_anomalous_network_activity_ecs\",\n\"job_type\": \"anomaly_detector\",\n\"job_version\": \"7.7.0\",\n\"groups\": [\n  \"auditbeat\",\n  \"process\",\n  \"siem\"\n],\n...\n```\n\nAdditionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications:\n\n* Slack\n* Email\n* PagerDuty\n* Webhook\n* Microsoft Teams\n* IBM Resilient\n* Jira\n* ServiceNow ITSM\n\u003e info\n\u003e For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/).\n\nTo retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) with `\"type\": \"action\"` in the request payload.\n\nFor detailed information on Kibana actions and alerting, and additional API calls, see:\n\n* [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting)\n* [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html)\n* [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors)\n","operationId":"CreateRule","requestBody":{"content":{"application/json":{"examples":{"example1":{"description":"Query rule that searches for processes started by MS Office","summary":"Query rule","value":{"description":"Process started by MS Office program - possible payload","enabled":false,"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","interval":"1h","language":"kuery","name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"name":"process.parent.name","type":"keyword"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","severity":"low","tags":["child process","ms office"],"type":"query"}},"example2":{"description":"Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address","summary":"Threshold rule","value":{"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","enabled":true,"exceptions_list":[{"id":"int-ips","namespace_type":"single","type":"detection"}],"from":"now-180s","index":["winlogbeat-*"],"interval":"2m","name":"Windows server prml-19","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure","required_fields":[{"name":"source.ip","type":"ip"}],"risk_score":30,"rule_id":"liv-win-ser-logins","severity":"low","severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"tags":["Brute force"],"threshold":{"field":"source.ip","value":20},"type":"threshold"}},"example3":{"description":"Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above.","summary":"Machine learning rule","value":{"actions":[{"action_type_id":".slack","group":"default","id":"5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5","params":{"message":"Urgent: {{context.rule.description}}"}}],"anomaly_threshold":70,"description":"Generates alerts when the job discovers anomalies over 70","enabled":true,"from":"now-6m","interval":"5m","machine_learning_job_id":"linux_anomalous_network_activity_ecs","name":"Anomalous Linux network activity","note":"Shut down the internet.","risk_score":70,"rule_id":"ml_linux_network_high_threshold","setup":"This rule requires data coming in from Elastic Defend.","severity":"high","tags":["machine learning","Linux"],"type":"machine_learning"}},"example4":{"description":"Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections","summary":"EQL rule","value":{"description":"Unusual rundll32.exe network connection","language":"eql","name":"rundll32.exe network connection","query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]","required_fields":[{"name":"event.type","type":"keyword"},{"name":"process.args","type":"keyword"},{"name":"process.args_count","type":"long"},{"name":"process.entity_id","type":"keyword"},{"name":"process.name","type":"keyword"},{"name":"process.pe.original_file_name","type":"keyword"}],"risk_score":21,"rule_id":"eql-outbound-rundll32-connections","severity":"low","tags":["EQL","Windows","rundll32.exe"],"type":"eql"}},"example5":{"description":"Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index.\n","summary":"Indicator match rule","value":{"actions":[],"description":"Checks for bad IP addresses listed in the ip-threat-list index","index":["packetbeat-*"],"name":"Bad IP threat match","query":"destination.ip:* or host.ip:*","required_fields":[{"name":"destination.ip","type":"ip"},{"name":"destination.port","type":"long"},{"name":"host.ip","type":"ip"}],"risk_score":50,"severity":"medium","threat_index":["ip-threat-list"],"threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_query":"*:*","type":"threat_match"}},"example6":{"description":"New terms rule that creates alerts a new IP address is detected for a user","summary":"New terms rule","value":{"description":"Detects a user associated with a new IP address","history_window_start":"now-30d","index":["auditbeat*"],"language":"kuery","name":"New User IP Detected","new_terms_fields":["user.id","source.ip"],"query":"*","required_fields":[{"name":"user.id","type":"keyword"},{"name":"source.ip","type":"ip"}],"risk_score":21,"severity":"medium","type":"new_terms"}},"example7":{"description":"esql rule that creates alerts from events that match an Excel parent process","summary":"Esql rule","value":{"description":"Find Excel events","enabled":false,"from":"now-360s","interval":"5m","language":"esql","name":"Find Excel events","query":"from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"","required_fields":[{"name":"process.parent.name","type":"keyword"}],"risk_score":21,"severity":"low","tags":[],"to":"now","type":"esql"}},"example8":{"description":"Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period","summary":"Query rule 2","value":{"alert_suppression":{"duration":{"unit":"h","value":5},"group_by":["process.parent.name"],"missing_fields_strategy":"suppress"},"description":"Process started by MS Office program - possible payload","enabled":false,"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","interval":"1h","language":"kuery","name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","risk_score":50,"rule_id":"process_started_by_ms_office_program","severity":"low","tags":["child process","ms office"],"type":"query"}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleCreateProps"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"description":"Example response for a query rule","summary":"Query rule response","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Process started by MS Office program - possible payload","enabled":false,"false_positives":[],"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"},{"integration":"graphactivitylogs","package":"azure","version":"^1.11.4"}],"required_fields":[{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":1}},"example2":{"description":"Example response for a machine learning job rule","summary":"Machine learning response","value":{"actions":[{"action_type_id":".slack","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5","params":{"message":"Urgent: {{context.rule.description}}"}}],"anomaly_threshold":70,"created_at":"2020-04-07T14:45:15.679Z","created_by":"elastic","description":"Generates alerts when the job discovers anomalies over 70","enabled":true,"false_positives":[],"from":"now-6m","id":"83876f66-3a57-4a99-bf37-416494c80f3b","immutable":false,"interval":"5m","machine_learning_job_id":"linux_anomalous_network_activity_ecs","max_signals":100,"name":"Anomalous Linux network activity","note":"Shut down the internet.","references":[],"related_integrations":[],"required_fields":[],"risk_score":70,"rule_id":"ml_linux_network_high_threshold","setup":"","severity":"high","status":"going to run","status_date":"2020-04-07T14:45:21.685Z","tags":["machine learning","Linux"],"threat":[],"to":"now","type":"machine_learning","updated_at":"2020-04-07T14:45:15.892Z","updated_by":"elastic","version":1}},"example3":{"description":"Example response for a threshold rule","summary":"Threshold rule response","value":{"actions":[],"author":[],"created_at":"2020-07-22T10:27:23.486Z","created_by":"elastic","description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","enabled":true,"exceptions_list":[{"id":"int-ips","namespace_type":"single","type":"detection"}],"false_positives":[],"from":"now-180s","id":"15dbde26-b627-4d74-bb1f-a5e0ed9e4993","immutable":false,"index":["winlogbeat-*"],"interval":"2m","language":"kuery","max_signals":100,"name":"Windows server prml-19","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"source.ip","type":"ip"}],"risk_score":30,"risk_score_mapping":[],"rule_id":"liv-win-ser-logins","setup":"","severity":"low","severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"tags":["Brute force"],"threat":[],"threshold":{"field":"source.ip","value":20},"to":"now","type":"threshold","updated_at":"2020-07-22T10:27:23.673Z","updated_by":"elastic","version":1}},"example4":{"description":"Example response for an EQL rule","summary":"EQL rule response","value":{"author":[],"created_at":"2020-10-05T09:06:16.392Z","created_by":"elastic","description":"Unusual rundll32.exe network connection","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","id":"93808cae-b05b-4dc9-8479-73574b50f8b1","immutable":false,"interval":"5m","language":"eql","max_signals":100,"name":"rundll32.exe network connection","query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"event.type","type":"keyword"},{"ecs":true,"name":"process.args","type":"keyword"},{"ecs":true,"name":"process.args_count","type":"long"},{"ecs":true,"name":"process.entity_id","type":"keyword"},{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.pe.original_file_name","type":"keyword"}],"risk_score":21,"risk_score_mapping":[],"rule_id":"eql-outbound-rundll32-connections","setup":"","severity":"low","severity_mapping":[],"tags":["EQL","Windows","rundll32.exe"],"threat":[],"throttle":"no_actions","to":"now","type":"eql","updated_at":"2020-10-05T09:06:16.403Z","updated_by":"elastic","version":1}},"example5":{"description":"Example response for an indicator match rule","summary":"Indicator match rule response","value":{"author":[],"created_at":"2020-10-06T07:07:58.227Z","created_by":"elastic","description":"Checks for bad IP addresses listed in the ip-threat-list index","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","id":"d5daa13f-81fb-4b13-be2f-31011e1d9ae1","immutable":false,"index":["packetbeat-*"],"interval":"5m","language":"kuery","max_signals":100,"name":"Bad IP threat match","query":"destination.ip:* or host.ip:*","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"destination.ip","type":"ip"},{"ecs":true,"name":"destination.port","type":"long"},{"ecs":true,"name":"host.ip","type":"ip"}],"risk_score":50,"risk_score_mapping":[],"rule_id":"608501e4-c768-4f64-9326-cec55b5d439b","setup":"","severity":"medium","severity_mapping":[],"tags":[],"threat":[],"threat_index":["ip-threat-list"],"threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_query":"*:*","to":"now","type":"threat_match","updated_at":"2020-10-06T07:07:58.237Z","updated_by":"elastic","version":1}},"example6":{"description":"Example response for a new terms rule","summary":"New terms rule response","value":{"author":[],"created_at":"2020-10-06T07:07:58.227Z","created_by":"elastic","description":"Detects a user associated with a new IP address","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","history_window_start":"now-30d","id":"eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4","immutable":false,"index":["auditbeat*"],"interval":"5m","language":"kuery","max_signals":100,"name":"New User IP Detected","new_terms_fields":["user.id","source.ip"],"query":"*","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"user.id","type":"keyword"},{"ecs":true,"name":"source.ip","type":"ip"}],"risk_score":21,"risk_score_mapping":[],"rule_id":"c6f5d0bc-7be9-47d4-b2f3-073d22641e30","setup":"","severity":"medium","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"new_terms","updated_at":"2020-10-06T07:07:58.237Z","updated_by":"elastic","version":1}},"example7":{"description":"Example response for an Esql rule","summary":"Esql rule response","value":{"actions":[],"author":[],"created_at":"2023-10-18T10:55:14.269Z","created_by":"elastic","description":"Find Excel events","enabled":false,"exceptions_list":[],"false_positives":[],"from":"now-360s","id":"d0f20490-6da4-11ee-b85e-09e9b661f2e2","immutable":false,"interval":"5m","language":"esql","max_signals":100,"name":"Find Excel events","output_index":"","query":"from auditbeat-8.10.2 METADATA _id | where process.parent.name == \"EXCEL.EXE\"","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"process.parent.name","type":"keyword"}],"revision":0,"risk_score":21,"risk_score_mapping":[],"rule_id":"e4b53a89-debd-4a0d-a3e3-20606952e589","setup":"","severity":"low","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"esql","updated_at":"2023-10-18T10:55:14.269Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted.\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n\u003e warn\n\u003e When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n\u003e If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"UpdateRule","requestBody":{"content":{"application/json":{"examples":{"example1":{"summary":"Update query rule","value":{"description":"A new description","id":"14b7b513-3d8d-4b22-b7da-a7ae632f7e76","name":"A new name for the rule","risk_score":22,"severity":"medium","type":"query"}},"example2":{"summary":"Update EQL rule","value":{"description":"eql rule test","id":"9b684efb-acf9-4323-9bff-8335b3867d14","index":["apm-*-transaction*"],"language":"eql","name":"New name for EQL rule","query":"process where process.name == \"regsvr32.exe\"","risk_score":21,"severity":"low","type":"eql"}},"example3":{"summary":"Update threshold rule","value":{"description":"Description of threat rule test","id":"005d2c4f-51ca-493d-a2bd-20ef076339b1","language":"kuery","name":"New name for threat rule","query":"agent.version : * and agent.id : \"243d9b4f-ca01-4311-8e5c-9abbee91afd8\"","risk_score":21,"severity":"low","tags":["new_tag"],"threshold":{"cardinality":[],"field":[],"value":400},"type":"threshold"}},"example4":{"summary":"Update new terms rule","value":{"description":"New description","history_window_start":"now-7d","id":"569aac91-40dc-4807-a8ae-a2c8698089c4","interval":"5m","name":"New terms rule name","new_terms_fields":["Endpoint.policy.applied.artifacts.global.identifiers.name"],"query":"agent.version : \"9.1.0\"","risk_score":21,"severity":"low","type":"new_terms"}},"example5":{"summary":"Update esql rule","value":{"description":"New description for esql rule","id":"0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd","language":"esql","name":"New name for esql rule","query":"FROM logs*\n| STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */\n| EVAL event_rate = count / DATE_DIFF(\"seconds\", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */\n| KEEP event_rate\n","risk_score":21,"severity":"low","type":"esql"}},"example6":{"summary":"Update indicator match rule","value":{"description":"New description","id":"462f1986-10fe-40a3-a22c-2b1c9c4c48fd","name":"New name for Indicator Match rule","query":"source.ip:* or destination.ip:*\\n","risk_score":99,"severity":"critical","threat_index":["filebeat-*","logs-ti_*"],"threat_mapping":[{"entries":[{"field":"source.ip","type":"mapping","value":"threat.indicator.ip"}]},{"entries":[{"field":"destination.ip","type":"mapping","value":"threat.indicator.ip"}]}],"threat_query":"@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"","type":"threat_match"}},"example7":{"summary":"Update machine learning rule","value":{"anomaly_threshold":50,"description":"New description of ml rule","id":"60b13926-289b-41b1-a537-197ef1fa5059","machine_learning_job_id":["auth_high_count_logon_events"],"name":"New name of ml rule","risk_score":21,"severity":"low","type":"machine_learning"}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleUpdateProps"}}},"description":"\u003e info\n\u003e All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values.\n","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"summary":"Example response for an updated rule","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Updated description for the rule.","enabled":false,"false_positives":[],"filters":[{"query":null}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"Updated Rule Name","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365"}],"required_fields":[{"name":"process.parent.name"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Update a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/_bulk_action\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nApply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.\n\nThe edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. \nThe edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID.\n\u003e warn\n\u003e When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n\u003e If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"PerformRulesBulkAction","parameters":[{"description":"Enables dry run mode for the request call.\n\nEnable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information.\n\nTo enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch.\n\u003e info\n\u003e Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response.\n","in":"query","name":"dry_run","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"examples":{"example01":{"description":"The following request activates all rules with the test tag.","summary":"Enable - Enable all rules with the test tag","value":{"action":"enable","query":"alert.attributes.tags: \"test\""}},"example02":{"description":"The following request enables the rule with the specified ID.","summary":"Enable - Enable a specific rule by ID.","value":{"action":"enable","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example03":{"description":"The following request disables the rule with the specified ID.","summary":"Disable - Disable a specific rule by ID","value":{"action":"disable","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example04":{"description":"The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions.","summary":"Duplicate - Duplicate rules with specific IDs","value":{"action":"duplicate","duplicate":{"include_exceptions":true,"include_expired_exceptions":false},"ids":["748694f0-6977-4ea5-8384-cd2e39730779","461a4c22-416e-4009-a9a7-cf79656454bf"]}},"example05":{"description":"The following request deletes the rule with the specified ID.","summary":"Delete - Delete a specific rule by ID","value":{"action":"delete","ids":["cf4abfd1-7c37-4519-ab0f-5ea5c75fac60"]}},"example06":{"description":"The following request runs the rule with the specified ID within the given date range.","summary":"Run - Run a specific rule by ID","value":{"action":"run","ids":["748694f0-6977-4ea5-8384-cd2e39730779"],"run":{"end_date":"2025-03-10T23:59:59.999Z","start_date":"2025-03-01T00:00:00.000Z"}}},"example07":{"description":"The following request exports the rules with the specified IDs.","summary":"Export - Export specific rules by ID","value":{"action":"export","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example08":{"description":"The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true","summary":"Edit - dry run - Validate add_index_patterns bulk action","value":{"action":"edit","edit":[{"type":"add_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a","de8f5af0-0831-11ed-ac8b-05a222bd8d4a"]}},"example09":{"description":"The following request adds the tag \"tag-1\" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made.","summary":"Edit - Add a tag to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_tags","value":["tag-1"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example10":{"description":"The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made.","summary":"Edit - Add two tags to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_tags","value":["tag-1","tag-2"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example11":{"description":"The following request removes the tag \"tag-1\" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made.","summary":"Edit - Delete a tag from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_tags","value":["tag-1"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example12":{"description":"The following request sets the tags \"tag-1\" and \"tag-2\" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.","summary":"Edit - Set (overwrite existing) tags for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_tags","value":["tag-1","tag-2"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example13":{"description":"The following request adds the index pattern \"test-*\" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made.","summary":"Edit - Add index patterns to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example14":{"description":"The following request removes the index pattern \"test-*\" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made.","summary":"Edit - Remove index patterns from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example15":{"description":"The following request sets the index patterns \"test-*\" and \"prod-*\" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.","summary":"Edit - Set (overwrite existing) index patterns for rules patterns (idempotent)","value":{"action":"edit","edit":[{"type":"set_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example16":{"description":"The following request adds investigation field to the rules with the specified IDs.","summary":"Edit - Add investigation field to rules","value":{"action":"edit","edit":[{"type":"add_investigation_fields","value":{"field_names":["alert.status"]}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example17":{"description":"The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made.","summary":"Edit - Delete investigation fields from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_investigation_fields"}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"],"value":["field1","field2"]}},"example18":{"description":"The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made.","summary":"Edit - Set (overwrite existing) investigation fields for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_investigation_fields","value":["field1","field2"]}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example19":{"description":"The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made.","summary":"Edit - Set (overwrite existing) timeline template for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_timeline","value":{"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline"}}],"ids":["eacdfc95-e007-41c9-986e-4b2cbdfdc71b"]}},"example20":{"description":"The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made.","summary":"Edit - Set (overwrite existing) schedule for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_schedule","value":{"interval":"1h","lookback":"30m"}}],"ids":["99887766-5544-3322-1100-aabbccddeeff"]}},"example21":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules (non-idempotent)","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191928"]}},"example22":{"description":"The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID.","summary":"Edit - Set (overwrite existing) rule actions for rules (non-idempotent)","value":{"action":"edit","edit":[{"type":"set_rule_actions","value":{"actions":[{"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191928"]}},"example23":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a webhook connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example24":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for an email connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"message":"The message body","subject":"Subject","to":"address@domain.com"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example25":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a slack connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"message":"The content of the message"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example26":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a PagerDuty connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"eventAction":"trigger","severity":"critical","summary":"The message body","timestamp":"2023-10-31T00:00:00.000Z"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example27":{"description":"The following request set alert suppression to the rules with the specified IDs.","summary":"Edit - Set alert suppression to rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_alert_suppression","value":{"duration":{"unit":"h","value":1},"group_by":["source.ip"],"missing_fields_strategy":"suppress"}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example28":{"description":"The following request set alert suppression to threshold rules with the specified IDs.","summary":"Edit - Set alert suppression to threshold rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_alert_suppression_for_threshold","value":{"duration":{"unit":"h","value":1}}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example29":{"description":"The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made.","summary":"Edit - Removes alert suppression from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_alert_suppression"}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example30":{"description":"The following request triggers the filling of gaps for the specified rule ids and time range","summary":"Fill Gaps - Manually trigger the filling of gaps for specified rules","value":{"action":"fill_gaps","ids":["748694f0-6977-4ea5-8384-cd2e39730779","164d0918-f720-4c9f-9f5c-c5122587cf19"],"run":{"end_date":"2025-03-10T23:59:59.999Z","start_date":"2025-03-01T00:00:00.000Z"}}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_BulkDeleteRules"},{"$ref":"#/components/schemas/Security_Detections_API_BulkDisableRules"},{"$ref":"#/components/schemas/Security_Detections_API_BulkEnableRules"},{"$ref":"#/components/schemas/Security_Detections_API_BulkExportRules"},{"$ref":"#/components/schemas/Security_Detections_API_BulkDuplicateRules"},{"$ref":"#/components/schemas/Security_Detections_API_BulkManualRuleRun"},{"$ref":"#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps"},{"$ref":"#/components/schemas/Security_Detections_API_BulkEditRules"}]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"example01":{"description":"In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason.","summary":"Successful response","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"51658332-a15e-4c9e-912a-67214e2e2359","name":"Skipped rule","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[{"anomaly_threshold":50,"author":["Elastic"],"created_at":"2022-02-21T14:14:13.801Z","created_by":"elastic","description":"A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.","enabled":true,"exceptions_list":[],"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."],"from":"now-45m","id":"8bc7dad0-9320-11ec-9265-8b772383a08d","immutable":false,"interval":"15m","license":"Elastic License v2","machine_learning_job_id":["packetbeat_dns_tunneling"],"max_signals":100,"name":"DNS Tunneling [Duplicate]","references":["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"],"related_integrations":[],"required_fields":[],"risk_score":21,"risk_score_mapping":[],"rule_id":"7289bf08-4e91-4c70-bf01-e04c4c5d7756","setup":"","severity":"low","severity_mapping":[],"tags":["Elastic","Network","Threat Detection","ML"],"threat":[],"to":"now","type":"machine_learning","updated_at":"2022-02-21T17:05:50.883Z","updated_by":"elastic","version":6}]},"summary":{"failed":0,"skipped":1,"succeeded":1,"total":2}},"rules_count":1,"success":true}},"example02":{"description":"If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request).","summary":"Partial failure","value":{"value":{"attributes":{"errors":[{"message":"Index patterns can't be added. Machine learning rule doesn't have index patterns property","rules":[{"id":"8bc7dad0-9320-11ec-9265-8b772383a08d","name":"DNS Tunneling [Duplicate]"}],"status_code":500}],"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[],"author":["Elastic"],"created_at":"2022-02-21T14:14:17.883Z","created_by":"elastic","description":"Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.","enabled":true,"exceptions_list":[],"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"from":"now-6m","id":"8e5c1a40-9320-11ec-9265-8b772383a08d","immutable":false,"index":["apm-*-transaction*","traces-apm*","auditbeat-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*","added-by-id-*"],"interval":"5m","language":"kuery","license":"Elastic License v2","max_signals":10000,"name":"External Alerts [Duplicate]","query":"event.kind:alert and not event.module:(endgame or endpoint)\n","references":[],"related_integrations":[],"required_fields":[],"risk_score":47,"risk_score_mapping":[{"field":"event.risk_score","operator":"equals","value":""}],"rule_id":"941faf98-0cdc-4569-b16d-4af962914d61","rule_name_override":"message","setup":"","severity":"medium","severity_mapping":[{"field":"event.severity","operator":"equals","severity":"low","value":"21"},{"field":"event.severity","operator":"equals","severity":"medium","value":"47"},{"field":"event.severity","operator":"equals","severity":"high","value":"73"},{"field":"event.severity","operator":"equals","severity":"critical","value":"99"}],"tags":["Elastic","Network","Windows","APM","macOS","Linux"],"threat":[],"timestamp_override":"event.ingested","to":"now","type":"query","updated_at":"2022-02-21T16:56:22.818Z","updated_by":"elastic","version":5}]},"summary":{"failed":1,"skipped":0,"succeeded":1,"total":2}},"message":"Bulk edit partially failed","rules_count":2,"status_code":500,"success":false}}},"example03":{"description":"The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted.","summary":"Dry run","value":{"attributes":{"errors":[{"err_code":"IMMUTABLE","message":"Elastic rule can't be edited","rules":[{"id":"81aa0480-06af-11ed-94fb-dd1a0597d8d2","name":"Unusual AWS Command for a User"}],"status_code":500},{"err_code":"MACHINE_LEARNING_INDEX_PATTERN","message":"Machine learning rule doesn't have index patterns","rules":[{"id":"dc015d10-0831-11ed-ac8b-05a222bd8d4a","name":"Suspicious Powershell Script [Duplicate]"}],"status_code":500}],"results":{"created":[],"deleted":[],"skipped":[],"updated":[]},"summary":{"failed":2,"skipped":0,"succeeded":1,"total":3}},"message":"Bulk edit partially failed","status_code":500}},"example04":{"description":"This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated.","summary":"Set tags successsully for 2 rules","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[],"author":[],"created_at":"2025-03-25T11:46:41.899Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-6m","id":"738112cd-6cfa-414a-8457-2a658845d6ba","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"5m","language":"kuery","license":"","max_signals":100,"meta":{"kibana_siem_app_url":"http://localhost:5601/kbn/app/security"},"name":"Rule 1","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":1,"risk_score":21,"risk_score_mapping":[],"rule_id":"6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2"],"threat":[],"to":"now","type":"query","updated_at":"2025-03-25T11:47:11.350Z","updated_by":"elastic","version":2},{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"580e2e16-5e91-411c-999b-7b75a11ed441"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http://localhost:5601/kbn/app/security"},"name":"Rule 2","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":33,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T11:47:11.357Z","updated_by":"elastic","version":24}]},"summary":{"failed":0,"skipped":0,"succeeded":2,"total":2}},"rules_count":2,"success":true}},"example05":{"description":"This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them.","summary":"Idempotent behavior of set_tags","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","name":"Rule 1","skip_reason":"RULE_NOT_MODIFIED"},{"id":"738112cd-6cfa-414a-8457-2a658845d6ba","name":"Rule 2","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[]},"summary":{"failed":0,"skipped":2,"succeeded":0,"total":2}},"rules_count":2,"success":true}},"example06":{"description":"This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added.","summary":"Idempotent behavior of add_tags","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"738112cd-6cfa-414a-8457-2a658845d6ba","name":"Test Rule 2","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"580e2e16-5e91-411c-999b-7b75a11ed441"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http://localhost:5601/kbn/app/security"},"name":"Test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":34,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2","tag-4"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T11:55:12.752Z","updated_by":"elastic","version":25}]},"summary":{"failed":0,"skipped":1,"succeeded":1,"total":2}},"rules_count":2,"success":true}},"example07":{"description":"This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID.","summary":"Non-idempotent behavior for set_rule_actions","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"e48428e5-efac-4856-b8ad-b271c14eaa91"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http://localhost:5601/kbn/app/security"},"name":"Test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":39,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2","tag-4"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T12:17:40.528Z","updated_by":"elastic","version":30}]},"summary":{"failed":0,"skipped":0,"succeeded":1,"total":1}},"rules_count":1,"success":true}},"example08":{"description":"This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID.","summary":"Non-idempotent behavior for add_rule_actions","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"76af173d-38d8-4a9a-b2cc-a3c695b845b4","params":{"body":"Message body"},"uuid":"0309347e-3954-429c-9168-5da2663389af"},{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"76af173d-38d8-4a9a-b2cc-a3c695b845b4","params":{"body":"Message body"},"uuid":"49ddaa94-d63d-410e-90dc-8c1bad9552bd"}],"author":[],"created_at":"2025-04-02T12:42:03.400Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-6m","id":"0d3eb0cd-88c4-4651-ac87-6d9f0cb87217","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"5m","language":"kuery","license":"","max_signals":100,"meta":{"kibana_siem_app_url":"http://localhost:5601/kbn/app/security"},"name":"Jacek test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":2,"risk_score":21,"risk_score_mapping":[],"rule_id":"2684c020-1370-4719-ac27-eafe6428fe10","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"query","updated_at":"2025-04-02T12:51:40.215Z","updated_by":"elastic","version":2}]},"summary":{"failed":0,"skipped":0,"succeeded":1,"total":1}},"rules_count":1,"success":true}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_BulkEditActionResponse"},{"$ref":"#/components/schemas/Security_Detections_API_BulkExportActionResponse"}]}}},"description":"OK"}},"summary":"Apply a bulk action to detection rules","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/_export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nExport detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file:\n- Actions\n- Exception lists\n\u003e info\n\u003e Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.\n\n\u003e You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.\n\n\u003e Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.\n","operationId":"ExportRules","parameters":[{"description":"Determines whether a summary of the exported rules is returned.","in":"query","name":"exclude_export_details","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"File name for saving the exported rules.\n\u003e info\n\u003e When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.\n","in":"query","name":"file_name","required":false,"schema":{"default":"export.ndjson","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"nullable":true,"type":"object","properties":{"objects":{"description":"Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified.","items":{"type":"object","properties":{"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"}},"required":["rule_id"]},"type":"array"}},"required":["objects"]}}},"required":false},"responses":{"200":{"content":{"application/ndjson":{"schema":{"description":"An `.ndjson` file containing the returned rules.\n\nEach line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.\n","format":"binary","type":"string"}}},"description":"Indicates a successful call."}},"summary":"Export detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X POST \"localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true\u0026file_name=exported_rules.ndjson\" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'\n{\n  \"objects\": [\n    {\n      \"rule_id\":\"343580b5-c811-447c-8d2d-2ccf052c6900\"\n    },\n    {\n      \"rule_id\":\"2938c9fa-53eb-4c04-b79c-33cbf041b18d\"\n    }\n  ]\n}\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.","operationId":"FindRules","parameters":[{"in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Search query\n\nFilters the returned results according to the value of the specified field, using the alert.attributes.\u003cfield name\u003e:\u003cfield value\u003e syntax, where \u003cfield name\u003e can be:\n- name\n- enabled\n- tags\n- createdBy\n- interval\n- updatedBy\n\u003e info\n\u003e Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.\n","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"description":"Field to sort by","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_FindRulesSortField"}},{"description":"Sort order","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_Detections_API_SortOrder"}},{"description":"Page number","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"Rules per page","in":"query","name":"per_page","required":false,"schema":{"default":20,"minimum":0,"type":"integer"}},{"description":"Gaps range start","in":"query","name":"gaps_range_start","required":false,"schema":{"type":"string"}},{"description":"Gaps range end","in":"query","name":"gaps_range_end","required":false,"schema":{"type":"string"}},{"description":"Gap fill statuses","in":"query","name":"gap_fill_statuses","required":false,"schema":{"items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"}}],"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"value":{"data":[{"created_at":"2020-02-02T10:05:19.613Z","created_by":"elastic","description":"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.","enabled":false,"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"from":"now-6m","id":"89761517-fdb0-4223-b67b-7621acc48f9e","immutable":true,"index":["winlogbeat-*"],"interval":"5m","language":"kuery","max_signals":33,"name":"Windows Script Executing PowerShell","query":"event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"event.action","type":"keyword"},{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":21,"rule_id":"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc","setup":"","severity":"low","tags":["Elastic","Windows"],"threat":[{"framework":"MITRE ATT\u0026CK","tactic":{"id":"TA0002","name":"Execution","reference":"https://attack.mitre.org/tactics/TA0002/"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https://attack.mitre.org/techniques/T1193/"}]}],"to":"now","type":"query","updated_at":"2020-02-02T10:05:19.830Z","updated_by":"elastic"}],"page":1,"perPage":5,"total":4}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"},"type":"array"},"page":{"type":"integer"},"perPage":{"type":"integer"},"total":{"type":"integer"},"warnings":{"items":{"$ref":"#/components/schemas/Security_Detections_API_WarningSchema"},"type":"array"}},"required":["page","perPage","total","data"]}}},"description":"Successful response\n\u003e info\n\u003e These fields are under development and their usage or schema may change: execution_summary.\n"}},"summary":"List all detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X GET \"localhost:5601/api/detection_engine/rules/_find?page=1\u0026per_page=5\u0026sort_field=enabled\u0026sort_order=asc\u0026filter=alert.attributes.name:windows\" -H 'kbn-xsrf: true'\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/_import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nImport detection rules from an `.ndjson` file, including actions and exception lists. The request must include:\n- The `Content-Type: multipart/form-data` HTTP header.\n- A link to the `.ndjson` file containing the rules.\n\u003e warn\n\u003e When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n\u003e If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n\u003e info\n\u003e To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for more information.\n\n\u003e info\n\u003e Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.\n\n\u003e You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.\n\n\u003e Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.\n","operationId":"ImportRules","parameters":[{"description":"Determines whether existing rules with the same `rule_id` are overwritten.","in":"query","name":"overwrite","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten.","in":"query","name":"overwrite_exceptions","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten.","in":"query","name":"overwrite_action_connectors","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Generates a new list ID for each imported exception list.","in":"query","name":"as_new_list","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"description":"The `.ndjson` file containing the rules.","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"example1":{"summary":"Import rules with success","value":{"errors":[],"exceptions_errors":[],"exceptions_success":true,"exceptions_success_count":0,"rules_count":1,"success":true,"success_count":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action_connectors_errors":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ErrorSchema"},"type":"array"},"action_connectors_success":{"type":"boolean"},"action_connectors_success_count":{"minimum":0,"type":"integer"},"action_connectors_warnings":{"items":{"$ref":"#/components/schemas/Security_Detections_API_WarningSchema"},"type":"array"},"errors":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ErrorSchema"},"type":"array"},"exceptions_errors":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ErrorSchema"},"type":"array"},"exceptions_success":{"type":"boolean"},"exceptions_success_count":{"minimum":0,"type":"integer"},"rules_count":{"minimum":0,"type":"integer"},"success":{"type":"boolean"},"success_count":{"minimum":0,"type":"integer"}},"required":["exceptions_success","exceptions_success_count","exceptions_errors","rules_count","success","success_count","errors","action_connectors_errors","action_connectors_warnings","action_connectors_success","action_connectors_success_count"]}}},"description":"Indicates a successful call."}},"summary":"Import detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X POST \"\u003cKibanaURL\u003e/api/detection_engine/rules/_import\"\n-u \u003cusername\u003e:\u003cpassword\u003e -H 'kbn-xsrf: true'\n-H 'Content-Type: multipart/form-data'\n--form \"file=@\u003clink to file\u003e\"\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/{id}/exceptions":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/{id}/exceptions\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate exception items that apply to a single detection rule.","operationId":"CreateRuleExceptionListItems","parameters":[{"description":"Detection rule's identifier","examples":{"id":{"value":"330bdd28-eedf-40e1-bed0-f10176c7f9e0"}},"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_UUID"}}],"requestBody":{"content":{"application/json":{"schema":{"example":{"items":[{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"}]},"type":"object","properties":{"items":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps"},"type":"array"}},"required":["items"]}}},"description":"Rule exception items.","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ruleExceptionItems":{"value":[{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}]}},"schema":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"},"type":"array"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badPayload":{"value":{"error":"Bad Request","message":"Invalid request payload JSON format","statusCode":400}},"badRequest":{"value":{"error":"Bad Request","message":"[request params]: id: Invalid uuid","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"message":"Unable to create exception-list","status_code":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create rule exception items","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/prepackaged":{"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/prepackaged\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nInstall and update all Elastic prebuilt detection rules and Timelines.\n\nThis endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. \nWhen you call this endpoint, it will:\n- Install any new prebuilt detection rules that are not currently installed in your system.\n- Update any existing prebuilt detection rules that have been modified or improved by Elastic.\n- Install any new prebuilt Timelines that are not currently installed in your system.\n- Update any existing prebuilt Timelines that have been modified or improved by Elastic.\n\nThis ensures that your detection engine is always up-to-date with the latest rules and Timelines, \nproviding you with the most current and effective threat detection capabilities.\n","operationId":"InstallPrebuiltRulesAndTimelines","responses":{"200":{"content":{"application/json":{"examples":{"example1":{"value":{"rules_installed":112,"rules_updated":0,"timelines_installed":5,"timelines_updated":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"rules_installed":{"description":"The number of rules installed","minimum":0,"type":"integer"},"rules_updated":{"description":"The number of rules updated","minimum":0,"type":"integer"},"timelines_installed":{"description":"The number of timelines installed","minimum":0,"type":"integer"},"timelines_updated":{"description":"The number of timelines updated","minimum":0,"type":"integer"}},"required":["rules_installed","rules_updated","timelines_installed","timelines_updated"]}}},"description":"Indicates a successful call"}},"summary":"Install prebuilt detection rules and Timelines","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/prepackaged/_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/prepackaged/_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve the status of all Elastic prebuilt detection rules and Timelines. \n\nThis endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines.\n","operationId":"ReadPrebuiltRulesAndTimelinesStatus","responses":{"200":{"content":{"application/json":{"examples":{"example1":{"value":{"rules_custom_installed":0,"rules_installed":0,"rules_not_installed":112,"rules_not_updated":0,"timelines_installed":0,"timelines_not_installed":0,"timelines_not_updated":0}}},"schema":{"additionalProperties":false,"type":"object","properties":{"rules_custom_installed":{"description":"The total number of custom rules","minimum":0,"type":"integer"},"rules_installed":{"description":"The total number of installed prebuilt rules","minimum":0,"type":"integer"},"rules_not_installed":{"description":"The total number of available prebuilt rules that are not installed","minimum":0,"type":"integer"},"rules_not_updated":{"description":"The total number of outdated prebuilt rules","minimum":0,"type":"integer"},"timelines_installed":{"description":"The total number of installed prebuilt timelines","minimum":0,"type":"integer"},"timelines_not_installed":{"description":"The total number of available prebuilt timelines that are not installed","minimum":0,"type":"integer"},"timelines_not_updated":{"description":"The total number of outdated prebuilt timelines","minimum":0,"type":"integer"}},"required":["rules_custom_installed","rules_installed","rules_not_installed","rules_not_updated","timelines_installed","timelines_not_installed","timelines_not_updated"]}}},"description":"Indicates a successful call"}},"summary":"Retrieve the status of prebuilt detection rules and Timelines","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/rules/preview":{"post":{"operationId":"RulePreview","parameters":[{"description":"Enables logging and returning in response ES queries, performed during rule execution","in":"query","name":"enable_logged_requests","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewParams"}]}],"discriminator":{"propertyName":"type"}}}},"description":"An object containing tags to add or remove and alert ids the changes will be applied","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"isAborted":{"type":"boolean"},"logs":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewLogs"},"type":"array"},"previewId":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"}},"required":["logs"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Preview rule alerts generated on specified time range","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/rules/preview\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/detection_engine/signals/assignees":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/assignees\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAssign users to detection alerts, and unassign them from alerts.\n\u003e info\n\u003e You cannot add and remove the same assignee in the same request.\n","operationId":"SetAlertAssignees","requestBody":{"content":{"application/json":{"examples":{"add":{"value":{"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]},"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"]}},"remove":{"value":{"assignees":{"add":[],"remove":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"]},"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"]}}},"schema":{"type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Security_Detections_API_AlertAssignees","description":"Details about the assignees to assign and unassign."},"ids":{"$ref":"#/components/schemas/Security_Detections_API_AlertIds"}},"required":["assignees","ids"]}}},"required":true},"responses":{"200":{"content":{"application/ndjson":{"examples":{"add":{"value":{"batches":"1,","deleted":"0,","failures":[],"noops":"0,","requests_per_second":"-1,","retries":[{"bulk":"0,"},{"search":0}],"throttled_millis":"0,","throttled_until_millis":"0,","timed_out":"false,","took":"76,","total":"1,","updated":"1,","version_conflicts":"0,"}}}}},"description":"Indicates a successful call."},"400":{"description":"Invalid request."}},"summary":"Assign and unassign users from detection alerts","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/finalize_migration":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/finalize_migration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFinalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias.\nThe endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion,\nfinalize it.\n","operationId":"FinalizeAlertsMigration","requestBody":{"content":{"application/json":{"schema":{"example":{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]},"type":"object","properties":{"migration_ids":{"description":"Array of `migration_id`s to finalize.","items":{"type":"string"},"minItems":1,"type":"array"}},"required":["migration_ids"]}}},"description":"Array of `migration_id`s to finalize","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"migrations":[{"completed":true,"destinationIndex":".siem-signals-default-000002-r000016","id":"924f7c50-505f-11eb-ae0a-3fa2e626a51d","sourceIndex":".siem-signals-default-000002","status":"success","updated":"2021-01-06T22:05:56.859Z","version":16}]}}},"schema":{"items":{"$ref":"#/components/schemas/Security_Detections_API_MigrationFinalizationResult"},"type":"array"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Finalize detection alert migrations","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/migration":{"delete":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/migration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nMigrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of\nthe migration process. A successful migration will result in both the old and new indices being present.\nAs such, the old, orphaned index can (and likely should) be deleted.\n\nWhile you can delete these indices manually,\nthe endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted\nafter 30 days. It also deletes other artifacts specific to the migration implementation.\n","operationId":"AlertsMigrationCleanup","requestBody":{"content":{"application/json":{"schema":{"example":{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]},"type":"object","properties":{"migration_ids":{"description":"Array of `migration_id`s to cleanup.","items":{"type":"string"},"minItems":1,"type":"array"}},"required":["migration_ids"]}}},"description":"Array of `migration_id`s to cleanup","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"migrations":[{"destinationIndex":".siem-signals-default-000002-r000016","id":"924f7c50-505f-11eb-ae0a-3fa2e626a51d","sourceIndex":".siem-signals-default-000002","status":"success","updated":"2021-01-06T22:05:56.859Z","version":16}]}}},"schema":{"items":{"$ref":"#/components/schemas/Security_Detections_API_MigrationCleanupResult"},"type":"array"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Clean up detection alert migrations","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/migration\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nInitiate a migration of detection alerts.\nMigrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly.\n","operationId":"CreateAlertsMigration","requestBody":{"content":{"application/json":{"examples":{"singleIndex":{"value":{"index":[".siem-signals-default-000001"]}}},"schema":{"allOf":[{"type":"object","properties":{"index":{"description":"Array of index names to migrate.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"}},"required":["index"]},{"$ref":"#/components/schemas/Security_Detections_API_AlertsReindexOptions"}]}}},"description":"Alerts migration parameters","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"indices":[{"index":".siem-signals-default-000001,","migration_id":"923f7c50-505f-11eb-ae0a-3fa2e626a51d","migration_index":".siem-signals-default-000001-r000016"}]}}},"schema":{"type":"object","properties":{"indices":{"items":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess"},{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexMigrationError"},{"$ref":"#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration"}]},"type":"array"}},"required":["indices"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Initiate a detection alert migration","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/migration_status":{"get":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/migration_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.","operationId":"ReadAlertsMigrationStatus","parameters":[{"description":"Maximum age of qualifying detection alerts","in":"query","name":"from","required":true,"schema":{"description":"Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes\nbefore its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).\n","example":"now-30d","format":"date-math","type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"indices":[{"index":".siem-signals-default-000002","is_outdated":true,"migrations":[{"id":"924f7c50-505f-11eb-ae0a-3fa2e626a51d","status":"pending","updated":"2021-01-06T20:41:37.173Z","version":16}],"signal_versions":[{"count":100,"version":15},{"count":87,"version":16}],"version":15},{"index":".siem-signals-default-000003","is_outdated":false,"migrations":[],"signal_versions":[{"count":54,"version":16}],"version":16}]}}},"schema":{"type":"object","properties":{"indices":{"items":{"$ref":"#/components/schemas/Security_Detections_API_IndexMigrationStatus"},"type":"array"}},"required":["indices"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Retrieve the status of detection alert migrations","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/search":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/search\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFind and/or aggregate detection alerts that match the given query.","operationId":"SearchAlerts","requestBody":{"content":{"application/json":{"examples":{"query":{"value":{"aggs":{"alertsByGrouping":{"terms":{"field":"host.name","size":10}},"missingFields":{"missing":{"field":"host.name"}}},"query":{"bool":{"filter":[{"bool":{"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"must":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}],"should":[]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{},"size":0}}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_QueryAlertsBodyParams","description":"Elasticsearch query and aggregation request"}}},"description":"Search and/or aggregation query","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"_shards":{"failed":0,"skipped":0,"successful":1,"total":1},"aggregations":{"alertsByGrouping":{"buckets":[{"doc_count":5,"key":"Host-f43kkddfyc"}],"doc_count_error_upper_bound":0,"sum_other_doc_count":0},"missingFields":{"doc_count":0}},"hits":{"hits":[],"max_score":null,"total":{"relation":"eq","value":5}},"timed_out":false,"took":0}}},"schema":{"additionalProperties":true,"description":"Elasticsearch search response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Find and/or aggregate detection alerts","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/status":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSet the status of one or more detection alerts.","operationId":"SetAlertsStatus","requestBody":{"content":{"application/json":{"examples":{"byId":{"value":{"signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"],"status":"closed"}},"byQuery":{"value":{"conflicts":"proceed","query":{"bool":{"filter":[{"@timestamp":{"format":"strict_date_optional_time","gte":"2024-10-23T07:00:00.000Z","lte":"2025-01-21T20:12:11.704Z"},"range":null},{"bool":{"filter":{"bool":{"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}},{"@timestamp":{"format":"strict_date_optional_time","gte":"2024-10-23T07:00:00.000Z","lte":"2025-01-21T20:12:11.704Z"},"range":null}],"must":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}],"should":[]}}}}],"must":[],"must_not":[],"should":[]}},"status":"closed"}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_SetAlertsStatusByIds"},{"$ref":"#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery"}]}}},"description":"An object containing desired status and explicit alert ids or a query to select alerts","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"byId":{"value":{"batches":1,"deleted":0,"failures":[],"noops":0,"requests_per_second":-1,"retries":{"bulk":0,"search":0},"throttled_millis":0,"throttled_until_millis":0,"timed_out":false,"took":81,"total":1,"updated":1,"version_conflicts":0}},"byQuery":{"value":{"batches":1,"deleted":0,"failures":[],"noops":0,"requests_per_second":-1,"retries":{"bulk":0,"search":0},"throttled_millis":0,"throttled_until_millis":0,"timed_out":false,"took":100,"total":17,"updated":17,"version_conflicts":0}}},"schema":{"additionalProperties":true,"description":"Elasticsearch update by query response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Set a detection alert status","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/signals/tags":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/signals/tags\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAnd tags to detection alerts, and remove them from alerts.\n\u003e info\n\u003e You cannot add and remove the same alert tag in the same request.\n","operationId":"SetAlertTags","requestBody":{"content":{"application/json":{"examples":{"add":{"value":{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}},"remove":{"value":{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":[],"tags_to_remove":["Duplicate"]}}}},"schema":{"type":"object","properties":{"ids":{"$ref":"#/components/schemas/Security_Detections_API_AlertIds"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_SetAlertTags"}},"required":["ids","tags"]}}},"description":"An object containing tags to add or remove and alert ids the changes will be applied","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"batches":"1,","deleted":"0,","failures":[],"noops":"0,","requests_per_second":"-1,","retries":{"bulk":"0,","search":0},"throttled_millis":"0,","throttled_until_millis":"0,","timed_out":"false,","took":"68,","total":"1,","updated":"1,","version_conflicts":"0,"}}},"schema":{"additionalProperties":true,"description":"Elasticsearch update by query response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Add and remove detection alert tags","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/detection_engine/tags":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/detection_engine/tags\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList all unique tags from all detection rules.","operationId":"ReadTags","responses":{"200":{"content":{"application/json":{"examples":{"example1":{"value":["zeek","suricata","windows","linux","network","initial access","remote access","phishing"]}},"schema":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"}}},"description":"Indicates a successful call"}},"summary":"List all detection rule tags","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/encrypted_saved_objects/_rotate_key":{"post":{"description":"Superuser role required.\n\nIf a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.\n\nThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","operationId":"rotateEncryptionKey","parameters":[{"description":"Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value.\n","in":"query","name":"batch_size","required":false,"schema":{"default":10000,"type":"number"}},{"description":"Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes.\n","in":"query","name":"type","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"rotateEncryptionKeyResponse":{"$ref":"#/components/examples/Saved_objects_key_rotation_response"}},"schema":{"type":"object","properties":{"failed":{"description":"Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key.\n","type":"number"},"successful":{"description":"Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption.\n\nNOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects.\n","type":"number"},"total":{"description":"Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption.\n","type":"number"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"},"429":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Already in progress."}},"summary":"Rotate a key for encrypted saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint_list":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response.","operationId":"CreateEndpointList","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Create an Elastic Endpoint rule exception list","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint_list/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"DeleteEndpointListItem","parameters":[{"description":"Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId"}},{"description":"Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Delete an Elastic Endpoint exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"ReadEndpointListItem","parameters":[{"description":"Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId"}},{"description":"Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Get an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list.","operationId":"CreateEndpointListItem","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"comments":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray","default":[]},"description":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"item_id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"},"meta":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"os_types":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags","default":[]},"type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"409":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item already exists"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Create an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"UpdateEndpointListItem","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"_version":{"type":"string"},"comments":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray","default":[]},"description":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId","description":"Either `id` or `item_id` must be specified"},"item_id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId","description":"Either `id` or `item_id` must be specified"},"meta":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"os_types":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags"},"type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Update an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint_list/items/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint_list/items/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all Elastic Endpoint exception list items.","operationId":"FindEndpointListItems","parameters":[{"description":"Filters the returned results according to the value of the specified field,\nusing the `\u003cfield name\u003e:\u003cfield value\u003e` syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"minimum":0,"type":"integer"}},{"description":"The number of exception list items to return per page","in":"query","name":"per_page","required":false,"schema":{"minimum":0,"type":"integer"}},{"description":"Determines which field is used to sort the results","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"},"type":"array"},"page":{"minimum":0,"type":"integer"},"per_page":{"minimum":0,"type":"integer"},"pit":{"type":"string"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list not found"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Get Elastic Endpoint exception list items","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all response actions.","operationId":"EndpointGetActionsList","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Page"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PageSize"}},{"in":"query","name":"commands","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Commands"}},{"in":"query","name":"agentIds","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentIds"}},{"in":"query","name":"userIds","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_UserIds"}},{"in":"query","name":"startDate","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_StartDate"}},{"in":"query","name":"endDate","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndDate"}},{"in":"query","name":"agentTypes","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"}},{"in":"query","name":"withOutputs","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_WithOutputs"}},{"in":"query","name":"types","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Types"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse"}}},"description":"OK"}},"summary":"Get response actions","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the status of response actions for the specified agent IDs.","operationId":"EndpointGetActionsStatus","parameters":[{"in":"query","name":"query","required":true,"schema":{"type":"object","properties":{"agent_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentIds"}}}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse"}}},"description":"OK"}},"summary":"Get response actions status","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/{action_id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/{action_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a response action using the action ID.","operationId":"EndpointGetActionsDetails","parameters":[{"in":"path","name":"action_id","required":true,"schema":{"description":"The ID of the action to retrieve.","example":"fr518850-681a-4y60-aa98-e22640cae2b8","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse"}}},"description":"OK"}},"summary":"Get action details","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/{action_id}/file/{file_id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet information for the specified response action file download.\n","operationId":"EndpointFileInfo","parameters":[{"in":"path","name":"action_id","required":true,"schema":{"type":"string"}},{"description":"The file identifier is constructed in one of two ways:\n- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:\n`{file_id}` = `{action_id}.{agent_id}`\n- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.\n","in":"path","name":"file_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"data":{"type":"object","properties":{"actionId":{"type":"string"},"agentId":{"type":"string"},"agentType":{"type":"string"},"created":{"format":"date-time","type":"string"},"id":{"type":"string"},"mimeType":{"type":"string"},"name":{"type":"string"},"size":{"type":"number"},"status":{"enum":["AWAITING_UPLOAD","UPLOADING","READY","UPLOAD_ERROR","DELETED"],"type":"string"}}}}}}},"description":"OK"}},"summary":"Get file information","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/{action_id}/file/{file_id}/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDownload a file associated with a response action.\n","operationId":"EndpointFileDownload","parameters":[{"in":"path","name":"action_id","required":true,"schema":{"type":"string"}},{"description":"The file identifier is constructed in one of two ways:\n- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:\n`{file_id}` = `{action_id}.{agent_id}`\n- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.\n","in":"path","name":"file_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/octet-stream":{"schema":{"format":"binary","type":"string"}}},"description":"OK"}},"summary":"Download a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/cancel\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCancel a running or pending response action (Applies only to some agent types).","operationId":"CancelAction","requestBody":{"content":{"application/json":{"examples":{"MicrosoftDefenderEndpoint":{"summary":"Cancel a response action on a Microsoft Defender for Endpoint host","value":{"agent_type":"microsoft_defender_endpoint","comment":"Cancelling action due to change in requirements","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"id":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d"}}}},"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Successfully cancelled the response action"}},"summary":"Cancel a response action","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/execute\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRun a shell command on an endpoint.","operationId":"EndpointExecuteAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse"}}},"description":"OK"}},"summary":"Run a command","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/get_file":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/get_file\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a file from an endpoint.","operationId":"EndpointGetFileAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse"}}},"description":"OK"}},"summary":"Get a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/isolate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/isolate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nIsolate an endpoint from the network. The endpoint remains isolated until it's released.","operationId":"EndpointIsolateAction","requestBody":{"content":{"application/json":{"examples":{"multiple_endpoints":{"summary":"Isolates several hosts; includes a comment","value":{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}},"single_endpoint":{"summary":"Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}},"with_case_id":{"summary":"Isolates a single host with a case_id value of 1234","value":{"case_ids":["4976be38-c134-4554-bd5e-0fd89ce63667"],"comment":"Isolating as initial response","endpoint_ids":["1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0","b30a11bf-1395-4707-b508-fbb45ef9793e"]}}},"schema":{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse"}}},"description":"OK"}},"summary":"Isolate an endpoint","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/kill_process":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/kill_process\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nTerminate a running process on an endpoint.","operationId":"EndpointKillProcessAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse"}}},"description":"OK"}},"summary":"Terminate a process","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/memory_dump":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/memory_dump\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGenerates memory dumps on the targeted host.","operationId":"EndpointGenerateMemoryDump","requestBody":{"content":{"application/json":{"examples":{"ProcessMemoryDump":{"summary":"Generate a memory dump from the host machine","value":{"agent_type":"endpoint","comment":"Generating memory dump for investigation","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123","type":"process"}}}},"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"MemoryDumpSuccessResponse":{"summary":"Memory dump action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"memory-dump","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"entity_id":"abc123","type":"process"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Action request was successfully created"}},"summary":"Generate a memory dump from the host machine","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/running_procs":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/running_procs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all processes running on an endpoint.","operationId":"EndpointGetProcessesAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse"}}},"description":"OK"}},"summary":"Get running processes","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/runscript":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/runscript\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRun a script on a host. Currently supported only for some agent types.","operationId":"RunScriptAction","requestBody":{"content":{"application/json":{"examples":{"MDE":{"description":"Microsoft Defender Endpoint runscript","summary":"Run a script against a Microsoft Defender Endpoint agent","value":{"agent_type":"microsoft_defender_endpoint","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"args":"-param1 value1 -param2 value2","scriptName":"my-script.ps1"}}},"SentinelOne":{"description":"SentinelOne runscript","summary":"Run a script against a SentinelOne agent","value":{"agent_type":"sentinel_one","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"inputParams":"--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt","script":"1111-2222-3333-4444-5555-6666-7777-8888"}}}},"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Action request was successfully created"}},"summary":"Run a script","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/scan":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/scan\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nScan a specific file or directory on an endpoint for malware.","operationId":"EndpointScanAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse"}}},"description":"OK"}},"summary":"Scan a file or directory","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/state":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/state\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a response actions state, which reports whether encryption is enabled.","operationId":"EndpointGetActionsState","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse"}}},"description":"OK"}},"summary":"Get actions state","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/suspend_process":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/suspend_process\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSuspend a running process on an endpoint.","operationId":"EndpointSuspendProcessAction","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse"}}},"description":"OK"}},"summary":"Suspend a process","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/unisolate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/unisolate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRelease an isolated endpoint, allowing it to rejoin a network.","operationId":"EndpointUnisolateAction","requestBody":{"content":{"application/json":{"examples":{"multipleHosts":{"summary":"Releases several hosts; includes a comment:","value":{"comment":"Benign process identified, releasing group","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}},"singleHost":{"summary":"Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}},"withCaseId":{"summary":"Releases hosts with an associated case; includes a comment.","value":{"case_ids":["4976be38-c134-4554-bd5e-0fd89ce63667"],"comment":"Remediation complete, restoring network","endpoint_ids":["1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0","b30a11bf-1395-4707-b508-fbb45ef9793e"]}}},"schema":{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse"}}},"description":"OK"}},"summary":"Release an isolated endpoint","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/action/upload":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/action/upload\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpload a file to an endpoint.","operationId":"EndpointUploadAction","requestBody":{"content":{"multipart/form-data":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse"}}},"description":"OK"}},"summary":"Upload a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/endpoint/metadata":{"get":{"operationId":"GetEndpointMetadataList","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Page"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PageSize"}},{"in":"query","name":"kuery","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Kuery"}},{"in":"query","name":"hostStatuses","required":true,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_HostStatuses"}},{"in":"query","name":"sortField","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SortField"}},{"in":"query","name":"sortDirection","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SortDirection"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse"}}},"description":"OK"}},"summary":"Get a metadata list","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/metadata\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/endpoint/metadata/{id}":{"get":{"operationId":"GetEndpointMetadata","parameters":[{"in":"path","name":"id","required":true,"schema":{"example":"ed518850-681a-4d60-bb98-e22640cae2a8","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse"}}},"description":"OK"}},"summary":"Get metadata","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/metadata/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/endpoint/policy_response":{"get":{"operationId":"GetPolicyResponse","parameters":[{"in":"query","name":"query","required":true,"schema":{"type":"object","properties":{"agentId":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentId"}}}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SuccessResponse"}}},"description":"OK"}},"summary":"Get a policy response","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/policy_response\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/endpoint/protection_updates_note/{package_policy_id}":{"get":{"operationId":"GetProtectionUpdatesNote","parameters":[{"in":"path","name":"package_policy_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse"}}},"description":"OK"}},"summary":"Get a protection updates note","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"CreateUpdateProtectionUpdatesNote","parameters":[{"in":"path","name":"package_policy_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"note":{"type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse"}}},"description":"OK"}},"summary":"Create or update a protection updates note","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/endpoint/scripts_library":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/endpoint/scripts_library\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a list of scripts","operationId":"EndpointScriptLibraryListScripts","parameters":[{"description":"Page number of the results to return. Defaults to 1.","in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Page"}},{"description":"Number of results to return per page. Defaults to 10. Max value is 1000.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ApiPageSize"}},{"description":"The field to sort the results by. Defaults to name.","in":"query","name":"sortField","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ApiSortField"}},{"description":"The direction to sort the results by. Defaults to asc (ascending).","in":"query","name":"sortDirection","required":false,"schema":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SortDirection"}},{"description":"A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable.\n","in":"query","name":"kuery","required":false,"schema":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Kuery"},{"example":"platform:windows"}]}}],"responses":{"200":{"content":{"application/json":{"examples":{"response":{"summary":"List of scripts response example","value":{"data":[],"page":1,"pageSize":10,"sortDirection":"asc","sortField":"name","total":100}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointScript"},"type":"array"},"page":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Page"},"pageSize":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ApiPageSize"},"sortDirection":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SortDirection"},"sortField":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ApiSortField"},"total":{"description":"The total number of scripts matching the query","type":"integer"}}}}},"description":"List of scripts response"}},"summary":"Get a list of scripts","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/entity_analytics/monitoring/engine/delete":{"delete":{"operationId":"DeleteMonitoringEngine","parameters":[{"description":"Whether to delete all the privileged user data","in":"query","name":"data","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}},"required":["deleted"]}}},"description":"Successful response"}},"summary":"Delete the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/engine/delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/engine/disable":{"post":{"operationId":"DisableMonitoringEngine","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Successful response"}},"summary":"Disable the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/engine/disable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/engine/init":{"post":{"operationId":"InitMonitoringEngine","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Successful response"},"500":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Internal Server Error"}},"summary":"Initialize the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/engine/init\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/engine/schedule_now":{"post":{"operationId":"ScheduleMonitoringEngine","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"success":{"description":"Indicates the scheduling was successful","type":"boolean"}}}}},"description":"Successful response"},"409":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"description":"Error message indicating the engine is already running","type":"string"}}}}},"description":"Conflict - Monitoring engine is already running"}},"summary":"Schedule the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/privileges/health":{"get":{"operationId":"PrivMonHealth","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"}},"required":["status"]},"status":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus"},"users":{"description":"User statistics for privilege monitoring","type":"object","properties":{"current_count":{"description":"Current number of privileged users being monitored","type":"integer"},"max_allowed":{"description":"Maximum number of privileged users allowed to be monitored","type":"integer"}},"required":["current_count","max_allowed"]}},"required":["status"]}}},"description":"Successful response"}},"summary":"Health check on Privilege Monitoring","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/privileges/health\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/privileges/privileges":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/privileges/privileges\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCheck if the current user has all required permissions for Privilege Monitoring","operationId":"PrivMonPrivileges","responses":{"200":{"content":{"application/json":{"example":{"has_all_required":true,"privileges":{"elasticsearch":{"index":{".entity_analytics.monitoring.user-default":{"read":true}}}}},"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges"}}},"description":"Successful response"}},"summary":"Run a privileges check on Privilege Monitoring","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/entity_analytics/monitoring/users":{"post":{"operationId":"CreatePrivMonUser","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_UserName"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc"}}},"description":"User created successfully"}},"summary":"Create a new monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/users\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/users/_csv":{"post":{"operationId":"PrivmonBulkUploadUsersCSV","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"description":"The CSV file to upload.","format":"binary","type":"string"}},"required":["file"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"example":{"errors":[{"index":1,"message":"Invalid monitored field","username":"john.doe"}],"stats":{"failedOperations":1,"successfulOperations":1,"totalOperations":2,"uploaded":1}},"type":"object","properties":{"errors":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem"},"type":"array"},"stats":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats"}},"required":["errors","stats"]}}},"description":"Bulk upload successful"},"413":{"description":"File too large"}},"summary":"Upsert multiple monitored users via CSV upload","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/users/_csv\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/users/{id}":{"delete":{"operationId":"DeletePrivMonUser","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"description":"Indicates if the deletion was successful","type":"boolean"},"message":{"description":"A message providing additional information about the deletion status","type":"string"}},"required":["success"]}}},"description":"User deleted successfully"}},"summary":"Delete a monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/users/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"operationId":"UpdatePrivMonUser","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc"}}},"description":"User updated successfully"}},"summary":"Update a monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/users/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/monitoring/users/list":{"get":{"operationId":"ListPrivMonUsers","parameters":[{"description":"KQL query to filter the list of monitored users","in":"query","name":"kql","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc"},"type":"array"}}},"description":"List of monitored users"}},"summary":"List all monitored users","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/monitoring/users/list\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/privileged_user_monitoring/pad/install":{"post":{"operationId":"InstallPrivilegedAccessDetectionPackage","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Successful response"}},"summary":"Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_analytics/privileged_user_monitoring/pad/status":{"get":{"operationId":"GetPrivilegedAccessDetectionPackageStatus","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"jobs":{"items":{"type":"object","properties":{"description":{"type":"string"},"job_id":{"type":"string"},"state":{"enum":["closing","closed","opened","failed","opening"],"type":"string"}},"required":["job_id","state"]},"type":"array"},"ml_module_setup_status":{"enum":["complete","incomplete"],"type":"string"},"package_installation_status":{"enum":["complete","incomplete"],"type":"string"}},"required":["package_installation_status","ml_module_setup_status","jobs"]}}},"description":"Privileged access detection status retrieved"}},"summary":"Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/enable":{"post":{"operationId":"InitEntityStore","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"delay":{"default":"1m","description":"The delay before the transform will run.","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"default":-1,"description":"The number of documents per second to process.","type":"integer"},"enrichPolicyExecutionInterval":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Interval"},"entityTypes":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"},"type":"array"},"fieldHistoryLength":{"default":10,"description":"The number of historical values to keep for each field.","type":"integer"},"filter":{"type":"string"},"frequency":{"default":"1m","description":"The frequency at which the transform will run.","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"3h","description":"The amount of time the transform looks back to calculate the aggregations.","pattern":"[smdh]$","type":"string"},"maxPageSearchSize":{"default":500,"description":"The initial page size to use for the composite aggregation of each checkpoint.","type":"integer"},"timeout":{"default":"180s","description":"The timeout for initializing the aggregating transform.","pattern":"[smdh]$","type":"string"},"timestampField":{"default":"@timestamp","description":"The field to use as the timestamp.","type":"string"}}}}},"description":"Schema for the entity store initialization","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"engines":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor"},"type":"array"},"succeeded":{"type":"boolean"}}}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Initialize the Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/enable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines":{"delete":{"operationId":"DeleteEntityEngines","parameters":[{"description":"The entity type of the engine ('user', 'host', 'service', 'generic').","examples":{"hostAndService":{"value":"host,service"}},"in":"query","name":"entityTypes","required":false,"schema":{"description":"Array of engine types to delete. Empty by default, which results in all the engines being deleted.","items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"},"type":"array"}},{"description":"Control flag to also delete the entity data.","in":"query","name":"delete_data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"deleteEntityEnginesExample":{"description":"Example response after deleting 'host' engine","value":{"deleted":["host"],"still_running":["generic","user","service"]}}},"schema":{"type":"object","properties":{"deleted":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"},"type":"array"},"still_running":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"},"type":"array"}}}}},"description":"Successful response"}},"summary":"Delete Entity Engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"ListEntityEngines","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"count":{"type":"integer"},"engines":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor"},"type":"array"}}}}},"description":"Successful response"}},"summary":"List the Entity Engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines/{entityType}":{"delete":{"operationId":"DeleteEntityEngine","parameters":[{"description":"The entity type of the engine (either 'user' or 'host').","examples":{"host":{"value":"host"}},"in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}},{"description":"Control flag to also delete the entity data.","in":"query","name":"delete_data","required":false,"schema":{"type":"boolean"}},{"deprecated":true,"description":"Control flag to also delete the entity data.","in":"query","name":"data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"deleteEntityEngineExample":{"description":"Example response after deleting 'host' engine","value":{"deleted":true}}},"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}},"description":"Successful response"}},"summary":"Delete the Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/{entityType}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"get":{"operationId":"GetEntityEngine","parameters":[{"description":"The entity type of the engine (either 'user' or 'host').","in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor"}}},"description":"Successful response"}},"summary":"Get an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/{entityType}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines/{entityType}/init":{"post":{"operationId":"InitEntityEngine","parameters":[{"description":"The entity type of the engine.","in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"delay":{"default":"1m","description":"The delay before the transform will run.","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"default":-1,"description":"The number of documents per second to process.","type":"integer"},"enrichPolicyExecutionInterval":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Interval"},"fieldHistoryLength":{"default":10,"description":"The number of historical values to keep for each field.","type":"integer"},"filter":{"type":"string"},"frequency":{"default":"1m","description":"The frequency at which the transform will run.","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"3h","description":"The amount of time the transform looks back to calculate the aggregations.","pattern":"[smdh]$","type":"string"},"maxPageSearchSize":{"default":500,"description":"The initial page size to use for the composite aggregation of each checkpoint.","type":"integer"},"timeout":{"default":"180s","description":"The timeout for initializing the aggregating transform.","pattern":"[smdh]$","type":"string"},"timestampField":{"default":"@timestamp","description":"The field to use as the timestamp for the entity type.","type":"string"}}}}},"description":"Schema for the engine initialization","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor"}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Initialize an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/{entityType}/init\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines/{entityType}/start":{"post":{"operationId":"StartEntityEngine","parameters":[{"description":"The entity type of the engine","in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"started":{"type":"boolean"}}}}},"description":"Successful response"}},"summary":"Start an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/{entityType}/start\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines/{entityType}/stop":{"post":{"operationId":"StopEntityEngine","parameters":[{"description":"The entity type of the engine (either 'user' or 'host').","in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"stopped":{"type":"boolean"}}}}},"description":"Successful response"}},"summary":"Stop an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/{entityType}/stop\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/engines/apply_dataview_indices":{"post":{"operationId":"ApplyEntityEngineDataviewIndices","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"result":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult"},"type":"array"},"success":{"type":"boolean"}}}}},"description":"Successful response"},"207":{"content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"items":{"type":"string"},"type":"array"},"result":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult"},"type":"array"},"success":{"type":"boolean"}}}}},"description":"Partial successful response"},"500":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Error response"}},"summary":"Apply DataView indices to all installed engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/engines/apply_dataview_indices\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/entity_store/entities/{entityType}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/entities/{entityType}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a single entity in Entity Store.\nThe entity will be immediately deleted from the latest index.  It will remain available in historical snapshots if it has been snapshotted.  The delete operation does not prevent the entity from being recreated if it is observed again in the future. \n","operationId":"DeleteSingleEntity","parameters":[{"in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"id":{"description":"Identifier of the entity to be deleted, commonly entity.id value.","type":"string"}},"required":["id"]}}},"description":"Schema for the deleting entity","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}}}}},"description":"Successful response. Entity deleted."},"404":{"description":"Entity Not Found. No entity with this ID and Type exists."},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Delete an entity in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/entities/{entityType}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate or create an entity in Entity Store.\nIf the specified entity already exists, it is updated with the provided values.  If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. \u003e info \u003e Some fields always retain the first observed value. Updates to these fields will not appear in the final index.\n\u003e Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values.\n\u003e Due to technical limitations, create is an async operation. The time for a document to be present in the  \u003e final index depends on the entity store transform and usually takes more than 1 minute.\n","operationId":"UpsertEntity","parameters":[{"in":"path","name":"entityType","required":true,"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}},{"in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Entity"}}},"description":"Schema for the updating a single entity","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Entity"}}},"description":"Entity updated or created"},"403":{"description":"Operation on a restricted field"},"409":{"description":"Conflict. The entity was updated while another update was happening in ElasticSearch"},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Upsert an entity in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/entity_store/entities/bulk":{"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/entities/bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate or create many entities in Entity Store.\nIf the specified entity already exists, it is updated with the provided values.  If the entity does not exist, a new one is created.\nThe creation is asynchronous. The time for a document to be present in the  final index depends on the entity store transform and usually takes more than 1 minute.\n","operationId":"UpsertEntitiesBulk","parameters":[{"in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer"}}},"description":"Schema for the updating many entities","required":true},"responses":{"200":{"description":"Entities updated or created"},"403":{"description":"Operation on a restricted field"},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Upsert many entities in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/entity_store/entities/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/entities/list\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList entities records, paging, sorting and filtering as needed.","operationId":"ListEntities","parameters":[{"in":"query","name":"sort_field","required":false,"schema":{"type":"string"}},{"in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"integer"}},{"in":"query","name":"per_page","required":false,"schema":{"maximum":10000,"minimum":1,"type":"integer"}},{"description":"An ES query to filter by.","in":"query","name":"filterQuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"entity_types","required":true,"schema":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"},"type":"array"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"inspect":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_InspectQuery"},"page":{"minimum":1,"type":"integer"},"per_page":{"maximum":1000,"minimum":1,"type":"integer"},"records":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Entity"},"type":"array"},"total":{"minimum":0,"type":"integer"}},"required":["records","page","per_page","total"]}}},"description":"Entities returned successfully"}},"summary":"List Entity Store Entities","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/entity_store/status":{"get":{"operationId":"GetEntityStoreStatus","parameters":[{"description":"If true returns a detailed status of the engine including all it's components","in":"query","name":"include_components","schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"engines":{"items":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor"},{"type":"object","properties":{"components":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus"},"type":"array"}}}]},"type":"array"},"status":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_StoreStatus"}},"required":["status","engines"]}}},"description":"Successful response"}},"summary":"Get the status of the Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/entity_store/status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/exception_lists":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an exception list using the `id` or `list_id` field.","operationId":"DeleteExceptionList","parameters":[{"description":"Exception list's identifier. Either `id` or `list_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"}},{"description":"Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.","examples":{"autogeneratedId":{"value":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2"},"list_id":{"value":"simple_list"}},"in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application/json":{"examples":{"detectionExceptionList":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE /api/exception_lists?list_id=simple_list\u0026namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"exception list list_id: \"foo\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of an exception list using the `id` or `list_id` field.","operationId":"ReadExceptionList","parameters":[{"description":"Exception list's identifier. Either `id` or `list_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"}},{"description":"Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application/json":{"examples":{"detectionType":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/exception_lists?list_id=simple_list\u0026namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception list details","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAn exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.\n\u003e info\n\u003e All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.\n","operationId":"CreateExceptionList","requestBody":{"content":{"application/json":{"schema":{"example":{"description":"This is a sample detection type exception list.","list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"detection"},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListDescription"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListTags","default":[]},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListType"},"version":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListVersion","default":1}},"required":["name","description","type"]}}},"description":"Exception list's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"autogeneratedListId":{"value":{"_version":"WzMsMV0=","created_at":"2025-01-09T01:05:23.019Z","created_by":"elastic","description":"This is a sample detection type exception with an autogenerated list_id.","id":"28243c2f-624a-4443-823d-c0b894880931","immutable":false,"list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"ad94de31-39f7-4ad7-b8e4-988bfa95f338","type":"detection","updated_at":"2025-01-09T01:05:23.020Z","updated_by":"elastic","version":1}},"namespaceAgnostic":{"value":{"_version":"WzUsMV0=","created_at":"2025-01-09T01:10:36.369Z","created_by":"elastic","description":"This is a sample agnostic endpoint type exception.","id":"1a744e77-22ca-4b6b-9085-54f55275ebe5","immutable":false,"list_id":"b935eb55-7b21-4c1c-b235-faa1df23b3d6","name":"Sample Agnostic Endpoint Exception List","namespace_type":"agnostic","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"49ea0adc-a2b8-4d83-a8f3-2fb98301dea3","type":"endpoint","updated_at":"2025-01-09T01:10:36.369Z","updated_by":"elastic","version":1}},"typeDetection":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}},"typeEndpoint":{"value":{"_version":"WzQsMV0=","created_at":"2025-01-09T01:07:49.658Z","created_by":"elastic","description":"This is a sample endpoint type exception list.","id":"a79f4730-6e32-4278-abfc-349c0add7d54","immutable":false,"list_id":"endpoint_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"94a028af-8f47-427a-aca5-ffaf829e64ee","type":"endpoint","updated_at":"2025-01-09T01:07:49.658Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"exception list id: \"simple_list\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list already exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an exception list using the `id` or `list_id` field.","operationId":"UpdateExceptionList","requestBody":{"content":{"application/json":{"schema":{"example":{"description":"Different description","list_id":"simple_list","name":"Updated exception list name","os_types":["linux"],"tags":["draft malware"],"type":"detection"},"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListTags"},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListType"},"version":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListVersion"}},"required":["name","description","type"]}}},"description":"Exception list's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"simpleList":{"value":{"_version":"WzExLDFd","created_at":"2025-01-07T20:43:55.264Z","created_by":"elastic","description":"Different description","id":"fa7f545f-191b-4d32-b1f0-c7cd62a79e55","immutable":false,"list_id":"simple_list","name":"Updated exception list name","namespace_type":"single","os_types":[],"tags":["draft malware"],"tie_breaker_id":"319fe983-acdd-4806-b6c4-3098eae9392f","type":"detection","updated_at":"2025-01-07T21:32:03.726Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/_duplicate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/_duplicate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDuplicate an existing exception list.","operationId":"DuplicateExceptionList","parameters":[{"in":"query","name":"list_id","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"}},{"description":"Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`.","in":"query","name":"include_expired_exceptions","required":true,"schema":{"default":"true","enum":["true","false"],"example":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"detectionExceptionList":{"value":{"_version":"WzExNDY1LDFd","created_at":"2025-01-09T16:19:50.280Z","created_by":"elastic","description":"This is a sample detection type exception","id":"b2f4a715-6ab1-444c-8b1e-3fa1b1049429","immutable":false,"list_id":"d6390d60-bce3-4a48-9002-52db600f329c","name":"Sample Detection Exception List [Duplicate]","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"6fa670bd-666d-4c9c-9f1e-d1dbc516e985","type":"detection","updated_at":"2025-01-09T16:19:50.280Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type: Invalid enum value. Expected 'agnostic' | 'single', received 'foo'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Exception list not found"},"405":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list to duplicate not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Duplicate an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/_export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nExport an exception list and its associated items to an NDJSON file.","operationId":"ExportExceptionList","parameters":[{"in":"query","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"}},{"in":"query","name":"list_id","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":true,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"}},{"description":"Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`.","example":true,"in":"query","name":"include_expired_exceptions","required":true,"schema":{"default":"true","enum":["true","false"],"type":"string"}}],"responses":{"200":{"content":{"application/ndjson":{"examples":{"exportSavedObjectsResponse":{"value":"{\"_version\":\"WzExNDU5LDFd\",\"created_at\":\"2025-01-09T16:18:17.757Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample detection type exception\",\"id\":\"c86c2da0-2ab6-4343-b81c-216ef27e8d75\",\"immutable\":false,\"list_id\":\"simple_list\",\"name\":\"Sample Detection Exception List\",\"namespace_type\":\"single\",\"os_types\":[],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"cf4a7b92-732d-47f0-a0d5-49a35a1736bf\",\"type\":\"detection\",\"updated_at\":\"2025-01-09T16:18:17.757Z\",\"updated_by\":\"elastic\",\"version\":1}\n{\"_version\":\"WzExNDYxLDFd\",\"comments\":[],\"created_at\":\"2025-01-09T16:18:42.308Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample endpoint type exception\",\"entries\":[{\"type\":\"exists\",\"field\":\"actingProcess.file.signer\",\"operator\":\"excluded\"},{\"type\":\"match_any\",\"field\":\"host.name\",\"value\":[\"some host\",\"another host\"],\"operator\":\"included\"}],\"id\":\"f37597ce-eaa7-4b64-9100-4301118f6806\",\"item_id\":\"simple_list_item\",\"list_id\":\"simple_list\",\"name\":\"Sample Endpoint Exception List\",\"namespace_type\":\"single\",\"os_types\":[\"linux\"],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"4ca3ef3e-9721-42c0-8107-cf47e094d40f\",\"type\":\"simple\",\"updated_at\":\"2025-01-09T16:18:42.308Z\",\"updated_by\":\"elastic\"}\n{\"exported_exception_list_count\":1,\"exported_exception_list_item_count\":1,\"missing_exception_list_item_count\":0,\"missing_exception_list_items\":[],\"missing_exception_lists\":[],\"missing_exception_lists_count\":0}\n"}},"schema":{"description":"A `.ndjson` file containing specified exception list and its items","format":"binary","type":"string"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: list_id: Required, namespace_type: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Export an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all exception list containers.","operationId":"FindExceptionLists","parameters":[{"description":"Filters the returned results according to the value of the specified field.\n\nUses the `so type.field name:field` value syntax, where `so type` can be:\n\n- `exception-list`: Specify a space-aware exception list.\n- `exception-list-agnostic`: Specify an exception list that is shared across spaces.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter"}},{"description":"Determines whether the returned containers are Kibana associated with a Kibana space\nor available in all spaces (`agnostic` or `single`)\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"default":["single"],"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"},"type":"array"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"example":1,"minimum":1,"type":"integer"}},{"description":"The number of exception lists to return per page","in":"query","name":"per_page","required":false,"schema":{"example":20,"minimum":1,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"name","type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`.","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"desc","type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"simpleLists":{"value":{"data":[{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Detection Exception List","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"},"type":"array"},"page":{"minimum":1,"type":"integer"},"per_page":{"minimum":1,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception lists","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/_import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nImport an exception list and its associated items from an NDJSON file.","operationId":"ImportExceptionList","parameters":[{"description":"Determines whether existing exception lists with the same `list_id` are overwritten.\nIf any exception items have the same `item_id`, those are also overwritten.\n","in":"query","name":"overwrite","required":false,"schema":{"default":false,"example":false,"type":"boolean"}},{"description":"Determines whether the list being imported will have a new `list_id` generated.\nAdditional `item_id`'s are generated for each exception item. Both the exception\nlist and its items are overwritten.\n","in":"query","name":"as_new_list","required":false,"schema":{"default":false,"example":false,"type":"boolean"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"description":"A `.ndjson` file containing the exception list","example":"{\"_version\":\"WzExNDU5LDFd\",\"created_at\":\"2025-01-09T16:18:17.757Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample detection type exception\",\"id\":\"c86c2da0-2ab6-4343-b81c-216ef27e8d75\",\"immutable\":false,\"list_id\":\"simple_list\",\"name\":\"Sample Detection Exception List\",\"namespace_type\":\"single\",\"os_types\":[],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"cf4a7b92-732d-47f0-a0d5-49a35a1736bf\",\"type\":\"detection\",\"updated_at\":\"2025-01-09T16:18:17.757Z\",\"updated_by\":\"elastic\",\"version\":1}\n{\"_version\":\"WzExNDYxLDFd\",\"comments\":[],\"created_at\":\"2025-01-09T16:18:42.308Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample endpoint type exception\",\"entries\":[{\"type\":\"exists\",\"field\":\"actingProcess.file.signer\",\"operator\":\"excluded\"},{\"type\":\"match_any\",\"field\":\"host.name\",\"value\":[\"some host\",\"another host\"],\"operator\":\"included\"}],\"id\":\"f37597ce-eaa7-4b64-9100-4301118f6806\",\"item_id\":\"simple_list_item\",\"list_id\":\"simple_list\",\"name\":\"Sample Endpoint Exception List\",\"namespace_type\":\"single\",\"os_types\":[\"linux\"],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"4ca3ef3e-9721-42c0-8107-cf47e094d40f\",\"type\":\"simple\",\"updated_at\":\"2025-01-09T16:18:42.308Z\",\"updated_by\":\"elastic\"}\n","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"withErrors":{"value":{"errors":[{"error":{"message":"Error found importing exception list: Invalid value \\\"4\\\" supplied to \\\"list_id\\\"","status_code":400},"list_id":"(unknown list_id)"},{"error":{"message":"Found that item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" already exists. Import of item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" skipped.","status_code":409},"item_id":"f7fd00bb-dba8-4c93-9d59-6cbd427b6330","list_id":"7d7cccb8-db72-4667-b1f3-648efad7c1ee"}],"success":"false,","success_count":"0,","success_count_exception_list_items":0,"success_count_exception_lists":"0,","success_exception_list_items":"false,","success_exception_lists":"false,"}},"withoutErrors":{"value":{"errors":[],"success":true,"success_count":2,"success_count_exception_list_items":1,"success_count_exception_lists":1,"success_exception_list_items":true,"success_exception_lists":"true,"}}},"schema":{"type":"object","properties":{"errors":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray"},"success":{"type":"boolean"},"success_count":{"minimum":0,"type":"integer"},"success_count_exception_list_items":{"minimum":0,"type":"integer"},"success_count_exception_lists":{"minimum":0,"type":"integer"},"success_exception_list_items":{"type":"boolean"},"success_exception_lists":{"type":"boolean"}},"required":["errors","success","success_count","success_exception_lists","success_count_exception_lists","success_exception_list_items","success_count_exception_list_items"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Import an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an exception list item using the `id` or `item_id` field.","operationId":"DeleteExceptionListItem","parameters":[{"description":"Exception item's identifier. Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemId"}},{"description":"Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application/json":{"examples":{"simpleExceptionItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"example":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400},"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE /api/exception_lists/items?item_id=simple_list\u0026namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of an exception list item using the `id` or `item_id` field.","operationId":"ReadExceptionListItem","parameters":[{"description":"Exception list item's identifier. Either `id` or `item_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemId"}},{"description":"Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified.","in":"query","name":"item_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application/json":{"examples":{"simpleListItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/exception_lists/items?item_id=\u0026namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate an exception item and associate it with the specified exception list.\n\u003e info\n\u003e Before creating exception items, you must create an exception list.\n","operationId":"CreateExceptionListItem","requestBody":{"content":{"application/json":{"schema":{"example":{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"},"type":"object","properties":{"comments":{"$ref":"#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray","default":[]},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime"},"item_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemTags","default":[]},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemType"}},"required":["list_id","type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"autogeneratedItemId":{"value":{"_version":"WzYsMV0=","comments":[],"created_at":"2025-01-09T01:16:23.322Z","created_by":"elastic","description":"This is a sample exception that has no item_id so it is autogenerated.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"323faa75-c657-4fa0-9084-8827612c207b","item_id":"80e6edf7-4b13-4414-858f-2fa74aa52b37","list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Sample Autogenerated Exception List Item ID","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"d6799986-3a23-4213-bc6d-ed9463a32f23","type":"simple","updated_at":"2025-01-09T01:16:23.322Z","updated_by":"elastic"}},"detectionExceptionListItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withExistEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withMatchAnyEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withMatchEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"included","type":"match","value":"Elastic N.V."}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withNestedEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"entries":[{"field":"signer","operator":"included","type":"match","value":"Evil"},{"field":"trusted","operator":"included","type":"match","value":true}],"field":"file.signature","type":"nested"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withValueListEntry":{"value":{"_version":"WzcsMV0=","comments":[],"created_at":"2025-01-09T01:31:12.614Z","created_by":"elastic","description":"Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list","entries":[{"field":"source.ip","list":{"id":"goodguys.txt","type":"ip"},"operator":"excluded","type":"list"}],"id":"deb26876-297d-4677-8a1f-35467d2f1c4f","item_id":"686b129e-9b8d-4c59-8d8d-c93a9ea82c71","list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Filter out good guys ip and agent.name rock01","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8","type":"simple","updated_at":"2025-01-09T01:31:12.614Z","updated_by":"elastic"}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request,","message":"[request body]: list_id: Expected string, received number","statusCode":"400,"}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"exception list item id: \\\"simple_list_item\\\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item already exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an exception list item using the `id` or `item_id` field.","operationId":"UpdateExceptionListItem","requestBody":{"content":{"application/json":{"example":{"comments":[],"description":"Updated description","entries":[{"field":"host.name","operator":"included","type":"match","value":"rock01"}],"item_id":"simple_list_item","name":"Updated name","namespace_type":"single","tags":[],"type":"simple"},"schema":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"comments":{"$ref":"#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray","default":[]},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemId","description":"Either `id` or `item_id` must be specified"},"item_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId","description":"Either `id` or `item_id` must be specified"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemTags"},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"simpleListItem":{"value":{"_version":"WzEyLDFd","comments":[],"created_at":"2025-01-07T21:12:25.512Z","created_by":"elastic","description":"Updated description","entries":[{"field":"host.name","operator":"included","type":"match","value":"rock01"}],"id":"459c5e7e-f8b2-4f0b-b136-c1fc702f72da","item_id":"simple_list_item","list_id":"simple_list","name":"Updated name","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0","type":"simple","updated_at":"2025-01-07T21:34:50.233Z","updated_by":"elastic"}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: item_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/items/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/items/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all exception list items in the specified list.","operationId":"FindExceptionListItems","parameters":[{"description":"The `list_id`s of the items to fetch.","in":"query","name":"list_id","required":true,"schema":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"type":"array"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the `\u003cfield name\u003e:\u003cfield value\u003e` syntax.\n","examples":{"singleFilter":{"value":["exception-list.attributes.name:%My%20item"]}},"in":"query","name":"filter","required":false,"schema":{"default":[],"items":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"type":"array"}},{"description":"Determines whether the returned containers are Kibana associated with a Kibana space\nor available in all spaces (`agnostic` or `single`)\n","examples":{"single":{"value":["single"]}},"in":"query","name":"namespace_type","required":false,"schema":{"default":["single"],"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"},"type":"array"}},{"in":"query","name":"search","required":false,"schema":{"example":"host.name","type":"string"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"example":1,"minimum":0,"type":"integer"}},{"description":"The number of exception list items to return per page","in":"query","name":"per_page","required":false,"schema":{"example":20,"minimum":0,"type":"integer"}},{"description":"Determines which field is used to sort the results.","example":"name","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},{"description":"Determines the sort order, which can be `desc` or `asc`.","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"desc","type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"simpleListItems":{"value":{"data":[{"_version":"WzgsMV0=","comments":[],"created_at":"2025-01-07T21:12:25.512Z","created_by":"elastic","description":"This is a sample exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["jupiter","saturn"]}],"id":"459c5e7e-f8b2-4f0b-b136-c1fc702f72da","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0","type":"simple","updated_at":"2025-01-07T21:12:25.512Z","updated_by":"elastic"}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItem"},"type":"array"},"page":{"minimum":1,"type":"integer"},"per_page":{"minimum":1,"type":"integer"},"pit":{"type":"string"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/exception_lists/items/_find?list_id=simple_list\u0026namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"exception list list_id: \"foo\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception list items","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exception_lists/summary":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exception_lists/summary\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a summary of the specified exception list.","operationId":"ReadExceptionListSummary","parameters":[{"description":"Exception list's identifier generated upon creation.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"}},{"description":"Exception list's human readable identifier.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},{"examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}},{"description":"Search filter clause","in":"query","name":"filter","required":false,"schema":{"example":"exception-list-agnostic.attributes.tags:\"policy:policy-1\" OR exception-list-agnostic.attributes.tags:\"policy:all\"","type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"summary":{"value":{"linux":0,"macos":0,"total":0,"windows":0}}},"schema":{"type":"object","properties":{"linux":{"minimum":0,"type":"integer"},"macos":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"},"windows":{"minimum":0,"type":"integer"}}}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/exception_lists/summary?list_id=simple_list\u0026namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get an exception list summary","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/exceptions/shared":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/exceptions/shared\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAn exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.\n\u003e info\n\u003e All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.\n","operationId":"CreateSharedExceptionList","requestBody":{"content":{"application/json":{"schema":{"example":{"description":"This is a sample detection type exception list.","list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"]},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListDescription"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListName"}},"required":["name","description"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"sharedList":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"message":"Unable to create exception-list","status_code":403}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"exception list id: \"simple_list\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list already exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a shared exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/features":{"get":{"description":"Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana.\n","operationId":"get-features","responses":{"200":{"content":{"application/json":{"examples":{"getFeaturesExample":{"value":"{\n  \"features\": [\n    {\n      \"name\": \"tasks\",\n      \"description\": \"Manages task results\"\n    },\n    {\n      \"name\": \"security\",\n      \"description\": \"Manages configuration for Security features, such as users and roles\"\n    },\n    {\n      \"name\": \"searchable_snapshots\",\n      \"description\": \"Manages caches and configuration for searchable snapshots\"\n    },\n    {\n      \"name\": \"logstash_management\",\n      \"description\": \"Enables Logstash Central Management pipeline storage\"\n    },\n    {\n      \"name\": \"transform\",\n      \"description\": \"Manages configuration and state for transforms\"\n    },\n    {\n      \"name\": \"kibana\",\n      \"description\": \"Manages Kibana configuration and reports\"\n    },\n    {\n      \"name\": \"synonyms\",\n      \"description\": \"Manages synonyms\"\n    },\n    {\n      \"name\": \"async_search\",\n      \"description\": \"Manages results of async searches\"\n    },\n    {\n      \"name\": \"ent_search\",\n      \"description\": \"Manages configuration for Enterprise Search features\"\n    },\n    {\n      \"name\": \"machine_learning\",\n      \"description\": \"Provides anomaly detection and forecasting functionality\"\n    },\n    {\n      \"name\": \"geoip\",\n      \"description\": \"Manages data related to GeoIP database downloader\"\n    },\n    {\n      \"name\": \"watcher\",\n      \"description\": \"Manages Watch definitions and state\"\n    },\n    {\n      \"name\": \"fleet\",\n      \"description\": \"Manages configuration for Fleet\"\n    },\n    {\n      \"name\": \"enrich\",\n      \"description\": \"Manages data related to Enrich policies\"\n    },\n    {\n      \"name\": \"inference_plugin\",\n      \"description\": \"Inference plugin for managing inference services and inference\"\n    }\n  ]\n}\n"}},"schema":{"type":"object"}}},"description":"Indicates a successful call"}},"summary":"Get features","tags":["system"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_download_sources":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_download_sources\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.","operationId":"get-fleet-agent-download-sources","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agent binary download sources","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_download_sources\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-agent-download-sources","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["name","host"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_download_sources/{sourceId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_download_sources/{sourceId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an agent binary download source by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-agent-download-sources-sourceid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_download_sources/{sourceId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet an agent binary download source by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.","operationId":"get-fleet-agent-download-sources-sourceid","parameters":[{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_download_sources/{sourceId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an agent binary download source by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-agent-download-sources-sourceid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["name","host"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"get-fleet-agent-policies","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"type":"number"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["desc","asc"],"type":"string"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"description":"use withAgentCount instead","in":"query","name":"noAgentCount","required":false,"schema":{"deprecated":true,"type":"boolean"}},{"description":"get policies with agent count","in":"query","name":"withAgentCount","required":false,"schema":{"type":"boolean"}},{"description":"get full policies with package policies populated","in":"query","name":"full","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"sys_monitoring","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fleet_server_host_id":{"nullable":true,"type":"string"},"force":{"type":"boolean"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_protected":{"type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"}},"required":["name","namespace"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/_bulk_get":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/_bulk_get\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"post-fleet-agent-policies-bulk-get","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"full":{"description":"get full policies with package policies populated","type":"boolean"},"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"},"ignoreMissing":{"type":"boolean"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk get agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet an agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"get-fleet-agent-policies-agentpolicyid","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"put-fleet-agent-policies-agentpolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"bumpRevision":{"type":"boolean"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fleet_server_host_id":{"nullable":true,"type":"string"},"force":{"type":"boolean"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_protected":{"type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"}},"required":["name","namespace"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet auto upgrade agent status\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"currentVersions":{"items":{"additionalProperties":false,"type":"object","properties":{"agents":{"description":"Number of agents that upgraded to this version","type":"number"},"failedUpgradeActionIds":{"description":"List of action IDs related to failed upgrades","items":{"type":"string"},"maxItems":1000,"type":"array"},"failedUpgradeAgents":{"description":"Number of agents that failed to upgrade to this version","type":"number"},"inProgressUpgradeActionIds":{"description":"List of action IDs related to in-progress upgrades","items":{"type":"string"},"maxItems":1000,"type":"array"},"inProgressUpgradeAgents":{"description":"Number of agents that are upgrading to this version","type":"number"},"version":{"description":"Agent version","type":"string"}},"required":["version","agents","failedUpgradeAgents","inProgressUpgradeAgents"]},"maxItems":10000,"type":"array"},"totalAgents":{"type":"number"}},"required":["currentVersions","totalAgents"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get auto upgrade agent status","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}/copy":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCopy an agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies-agentpolicyid-copy","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"minLength":1,"type":"string"}},"required":["name"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":10,"type":"array"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Copy an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDownload an agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-agent-policies-agentpolicyid-download","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"standalone","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kubernetes","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"string"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not found."}},"summary":"Download an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}/full":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a full agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read.","operationId":"get-fleet-agent-policies-agentpolicyid-full","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"standalone","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kubernetes","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"download":{"additionalProperties":false,"type":"object","properties":{"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"}}}},"required":["key"]}}},"sourceURI":{"type":"string"},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"renegotiation":{"type":"string"},"verification_mode":{"type":"string"}}},"target_directory":{"type":"string"},"timeout":{"type":"string"}},"required":["sourceURI"]},"features":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"}},"required":["enabled"]},"type":"object"},"internal":{},"limits":{"additionalProperties":false,"type":"object","properties":{"go_max_procs":{"type":"number"}}},"logging":{"additionalProperties":false,"type":"object","properties":{"files":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"},"keepfiles":{"type":"number"},"rotateeverybytes":{"type":"number"}}},"level":{"type":"string"},"metrics":{"additionalProperties":false,"type":"object","properties":{"period":{"type":"string"}}},"to_files":{"type":"boolean"}}},"monitoring":{"additionalProperties":false,"type":"object","properties":{"_runtime_experimental":{"type":"string"},"apm":{},"diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"enabled":{"type":"boolean"},"http":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"type":"number"}}},"logs":{"type":"boolean"},"metrics":{"type":"boolean"},"namespace":{"type":"string"},"pprof":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"}},"required":["enabled"]},"traces":{"type":"boolean"},"use_output":{"type":"string"}},"required":["enabled","metrics","logs","traces","apm"]},"protection":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"signing_key":{"type":"string"},"uninstall_token_hash":{"type":"string"}},"required":["enabled","uninstall_token_hash","signing_key"]}},"required":["monitoring","download","features","internal"]},"connectors":{"additionalProperties":{},"type":"object"},"exporters":{"additionalProperties":{},"type":"object"},"extensions":{"additionalProperties":{},"type":"object"},"fleet":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"}}}},"required":["key"]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"renegotiation":{"type":"string"},"verification_mode":{"type":"string"}}}},"required":["hosts"]},{"additionalProperties":false,"type":"object","properties":{"kibana":{"additionalProperties":false,"type":"object","properties":{"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"path":{"type":"string"},"protocol":{"type":"string"}},"required":["hosts","protocol"]}},"required":["kibana"]}]},"id":{"type":"string"},"inputs":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"namespace":{"type":"string"}},"required":["namespace"]},"id":{"type":"string"},"meta":{"additionalProperties":true,"type":"object","properties":{"package":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]}}},"name":{"type":"string"},"package_policy_id":{"type":"string"},"processors":{"items":{"additionalProperties":true,"type":"object","properties":{"add_fields":{"additionalProperties":true,"type":"object","properties":{"fields":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"}]},"type":"object"},"target":{"type":"string"}},"required":["target","fields"]}},"required":["add_fields"]},"maxItems":10000,"type":"array"},"revision":{"type":"number"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["id","data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"},"use_output":{"type":"string"}},"required":["id","name","revision","type","data_stream","use_output","package_policy_id"]},"maxItems":10000,"type":"array"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"output_permissions":{"additionalProperties":{"additionalProperties":{},"type":"object"},"type":"object"},"outputs":{"additionalProperties":{"additionalProperties":true,"type":"object","properties":{"ca_sha256":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"type":{"type":"string"}},"required":["type"]},"type":"object"},"processors":{"additionalProperties":{},"type":"object"},"receivers":{"additionalProperties":{},"type":"object"},"revision":{"type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10000,"type":"array"},"service":{"additionalProperties":false,"type":"object","properties":{"extensions":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"pipelines":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"exporters":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"processors":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"receivers":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"x-oas-optional":true},"type":"object"}}},"signed":{"additionalProperties":false,"type":"object","properties":{"data":{"type":"string"},"signature":{"type":"string"}},"required":["data","signature"]}},"required":["id","outputs","inputs"]}]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a full agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/{agentPolicyId}/outputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of outputs associated with agent policy by policy id.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.","operationId":"get-fleet-agent-policies-agentpolicyid-outputs","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"data":{"additionalProperties":false,"type":"object","properties":{"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"integrationPolicyName":{"type":"string"},"name":{"type":"string"},"pkgName":{"type":"string"}}},"maxItems":1000,"type":"array"},"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]},"monitoring":{"additionalProperties":false,"type":"object","properties":{"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]}},"required":["monitoring","data"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get outputs for an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an agent policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies-delete","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"force":{"description":"bypass validation checks that can prevent agent policy deletion","type":"boolean"}},"required":["agentPolicyId"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_policies/outputs":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_policies/outputs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of outputs associated with agent policies.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.","operationId":"post-fleet-agent-policies-outputs","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"data":{"additionalProperties":false,"type":"object","properties":{"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"integrationPolicyName":{"type":"string"},"name":{"type":"string"},"pkgName":{"type":"string"}}},"maxItems":1000,"type":"array"},"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]},"monitoring":{"additionalProperties":false,"type":"object","properties":{"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]}},"required":["monitoring","data"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get outputs for agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agent_status":{"get":{"operationId":"get-fleet-agent-status","parameters":[{"in":"query","name":"policyId","required":false,"schema":{"type":"string"}},{"in":"query","name":"policyIds","required":false,"schema":{"anyOf":[{"items":{"type":"string"},"maxItems":1000,"type":"array"},{"type":"string"}]}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"results":{"additionalProperties":false,"type":"object","properties":{"active":{"type":"number"},"all":{"type":"number"},"error":{"type":"number"},"events":{"type":"number"},"inactive":{"type":"number"},"offline":{"type":"number"},"online":{"type":"number"},"orphaned":{"type":"number"},"other":{"type":"number"},"unenrolled":{"type":"number"},"uninstalled":{"type":"number"},"updating":{"type":"number"}},"required":["events","online","error","offline","other","updating","inactive","unenrolled","all","active"]}},"required":["results"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent status summary","tags":["Elastic Agent status"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/fleet/agent_status/data":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agent_status/data\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agent-status-data","parameters":[{"in":"query","name":"agentsIds","required":true,"schema":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]}},{"in":"query","name":"pkgName","required":false,"schema":{"type":"string"}},{"in":"query","name":"pkgVersion","required":false,"schema":{"type":"string"}},{"in":"query","name":"previewData","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"dataPreview":{"items":{},"maxItems":10000,"type":"array"},"items":{"items":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"data":{"type":"boolean"}},"required":["data"]},"type":"object"},"maxItems":10000,"type":"array"}},"required":["items","dataPreview"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get incoming agent data","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agentless_policies":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agentless_policies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate an agentless policy","operationId":"post-fleet-agentless-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The format of the response package policy.","in":"query","name":"format","required":false,"schema":{"default":"simplified","enum":["legacy","simplified"],"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"createAgentlessPoliciesRequestExample":{"description":"Example request to create agentless policies","value":{"description":"test","inputs":{"ESS Billing-cel":{"enabled":true,"streams":{"ess_billing.billing":{"enabled":true,"vars":{"hide_sensitive":true,"http_client_timeout":"30s","lookbehind":365,"tags":["forwarded","billing"]}},"ess_billing.credits":{"enabled":false}},"vars":{"api_key":"\u003cREPLACE_WITH_YOUR_API_KEY\u003e","organization_id":"1234"}}},"name":"ess_billing-1","namespace":"default","package":{"name":"ess_billing","version":"1.6.0"}}},"createAgentlessPoliciesReuseAWSCloudConnectorExample":{"description":"Example request to create agentless policy reusing an existing AWS cloud connector","value":{"cloud_connector":{"cloud_connector_id":"existing-aws-connector-id","target_csp":"aws"},"description":"CSPM integration for AWS reusing existing cloud connector","inputs":{"cspm-cloudbeat/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","aws.supports_cloud_connectors":true,"external_id":{"id":"ABCDEFGHIJKLMNOPQRST","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role/TestRole"}}},"vars":{"cloud_formation_template":"https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat/cis_azure":{"enabled":false},"cspm-cloudbeat/cis_gcp":{"enabled":false}},"name":"cspm-aws-reuse-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"aws","posture":"cspm"}}},"createAgentlessPoliciesWithAWSCloudConnectorExample":{"description":"Example request to create agentless policy with AWS cloud connector","value":{"cloud_connector":{"target_csp":"aws"},"description":"CSPM integration for AWS with cloud connector","inputs":{"cspm-cloudbeat/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","aws.supports_cloud_connectors":true,"external_id":{"id":"ABCDEFGHIJKLMNOPQRST","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role/TestRole"}}},"vars":{"cloud_formation_template":"https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat/cis_azure":{"enabled":false},"cspm-cloudbeat/cis_gcp":{"enabled":false}},"name":"cspm-aws-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"aws","posture":"cspm"}}},"createAgentlessPoliciesWithAzureCloudConnectorExample":{"description":"Example request to create agentless policy with Azure cloud connector","value":{"cloud_connector":{"target_csp":"azure"},"description":"CSPM integration for Azure with cloud connector","inputs":{"cspm-cloudbeat/cis_aws":{"enabled":false},"cspm-cloudbeat/cis_azure":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"azure_credentials_cloud_connector_id":{"type":"text","value":"existing-azure-credentials-connector-id"},"azure.account_type":"organization-account","client_id":{"id":"client-secret-id","isSecretRef":true},"tenant_id":{"id":"tenant-secret-id","isSecretRef":true}}}}},"cspm-cloudbeat/cis_gcp":{"enabled":false}},"name":"cspm-azure-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"azure","posture":"cspm"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"cloud_connector":{"additionalProperties":false,"type":"object","properties":{"cloud_connector_id":{"description":"ID of an existing cloud connector to reuse. If not provided, a new connector will be created.","type":"string"},"enabled":{"default":false,"description":"Whether cloud connectors are enabled for this policy.","type":"boolean"},"name":{"description":"Optional name for the cloud connector. If not provided, will be auto-generated from credentials.","maxLength":255,"minLength":1,"type":"string"}}},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_template":{"description":"The policy template to use for the agentless package policy. If not provided, the default policy template will be used.","type":"string"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"createAgentlessPoliciesResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"item":{"created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"test","enabled":true,"id":"d52a7812-5736-4fdc-aed8-72152afa1ffa","inputs":{"ESS Billing-cel":{"enabled":true,"streams":{"ess_billing.billing":{"enabled":true,"vars":{"hide_sensitive":true,"http_client_timeout":"30s","lookbehind":365,"tags":["forwarded","billing"]}},"ess_billing.credits":{"enabled":false}},"vars":{"api_key":{"id":"QY1sWpoBbWcMW-edr0Ee","isSecretRef":true},"organization_id":"1234","url":"https://billing.elastic-cloud.com"}}},"name":"ess_billing-1","namespace":"default","package":{"name":"ess_billing","title":"Elasticsearch Service Billing","version":"1.6.0"},"revision":1,"secret_references":[{"id":"QY1sWpoBbWcMW-edr0Ee"}],"supports_agentless":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","version":"WzE0OTgsMV0="}}},"createAgentlessPoliciesWithAWSCloudConnectorResponseExample":{"description":"Example response for AWS cloud connector integration","value":{"item":{"cloud_connector_id":"aws-connector-67890","created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"CSPM integration for AWS with cloud connector","enabled":true,"id":"aws-policy-12345","inputs":{"cspm-cloudbeat/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","external_id":{"id":"secret-external-id-123","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role/TestRole"}}},"vars":{"cloud_formation_template":"https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat/cis_azure":{"enabled":false},"cspm-cloudbeat/cis_gcp":{"enabled":false}},"name":"cspm-aws-policy","namespace":"default","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"revision":1,"secret_references":[{"id":"secret-external-id-123"}],"supports_agentless":true,"supports_cloud_connector":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","vars":{"deployment":"aws","posture":"cspm"},"version":"WzE0OTgsMV0="}}},"createAgentlessPoliciesWithAzureCloudConnectorResponseExample":{"description":"Example response for Azure cloud connector integration","value":{"item":{"cloud_connector_id":"azure-connector-67890","created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"CSPM integration for Azure with cloud connector","enabled":true,"id":"azure-policy-12345","inputs":{"cspm-cloudbeat/cis_aws":{"enabled":false},"cspm-cloudbeat/cis_azure":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"azure_credentials_cloud_connector_id":{"type":"text","value":"existing-azure-credentials-connector-id"},"azure.account_type":"organization-account","client_id":{"id":"client-secret-id-456","isSecretRef":true},"tenant_id":{"id":"tenant-secret-id-123","isSecretRef":true}}}}},"cspm-cloudbeat/cis_gcp":{"enabled":false}},"name":"cspm-azure-policy","namespace":"default","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"revision":1,"secret_references":[{"id":"tenant-secret-id-123"},{"id":"client-secret-id-456"}],"supports_agentless":true,"supports_cloud_connector":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","vars":{"deployment":"azure","posture":"cspm"},"version":"WzE0OTgsMV0="}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"description":"The created agentless package policy.","type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"Indicates a successful response"},"400":{"content":{"application/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"409":{"content":{"application/json":{"examples":{"conflictErrorResponseExample":{"description":"Example of a conflict error response","value":{"error":"Conflict","message":"An error message describing what went wrong","statusCode":409}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Conflict"}},"summary":"Create an agentless policy","tags":["Fleet agentless policies"],"x-state":"Technical Preview; added in 9.3.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agentless_policies/{policyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agentless_policies/{policyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an agentless policy","operationId":"delete-fleet-agentless-policies-policyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The ID of the policy to delete.","in":"path","name":"policyId","required":true,"schema":{"type":"string"}},{"description":"Force delete the policy even if the policy is managed.","in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"createAgentlessPoliciesResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"item":{"id":"d52a7812-5736-4fdc-aed8-72152afa1ffa"}}}},"schema":{"additionalProperties":false,"description":"Response for deleting an agentless package policy.","type":"object","properties":{"id":{"description":"The ID of the deleted agentless package policy.","type":"string"}},"required":["id"]}}},"description":"Indicates a successful response"},"400":{"content":{"application/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"409":{"content":{"application/json":{"examples":{"conflictErrorResponseExample":{"description":"Example of a conflict error response","value":{"error":"Conflict","message":"An error message describing what went wrong","statusCode":409}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Conflict"}},"summary":"Delete an agentless policy","tags":["Fleet agentless policies"],"x-state":"Technical Preview; added in 9.3.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"showAgentless","required":false,"schema":{"default":true,"type":"boolean"}},{"in":"query","name":"showInactive","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"withMetrics","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"getStatusSummary","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"in":"query","name":"searchAfter","required":false,"schema":{"type":"string"}},{"in":"query","name":"openPit","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"pitId","required":false,"schema":{"type":"string"}},{"in":"query","name":"pitKeepAlive","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"enrolled_at":{"type":"string"},"id":{"type":"string"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sort":{"items":{},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata"]},"maxItems":10000,"type":"array"},"nextSearchAfter":{"type":"string"},"page":{"type":"number"},"perPage":{"type":"number"},"pit":{"type":"string"},"statusSummary":{"additionalProperties":{"type":"number"},"type":"object"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agents","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["actionIds"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agents by action ids","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an agent by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-agents-agentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["deleted"],"type":"string"}},"required":["action"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete an agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet an agent by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-agentid","parameters":[{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}},{"in":"query","name":"withMetrics","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"enrolled_at":{"type":"string"},"id":{"type":"string"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sort":{"items":{},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an agent by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"put-fleet-agents-agentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"},"user_provided_metadata":{"additionalProperties":{},"type":"object"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"enrolled_at":{"type":"string"},"id":{"type":"string"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sort":{"items":{},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update an agent by ID","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/actions":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/actions\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-actions","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"ack_data":{},"data":{},"type":{"enum":["UNENROLL","UPGRADE","POLICY_REASSIGN"],"type":"string"}},"required":["type","data","ack_data"]},{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":false,"type":"object","properties":{"log_level":{"enum":["debug","info","warning","error"],"nullable":true,"type":"string"}},"required":["log_level"]},"type":{"enum":["SETTINGS"],"type":"string"}},"required":["type","data"]}]}},"required":["action"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"ack_data":{},"agents":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"created_at":{"type":"string"},"data":{},"expiration":{"type":"string"},"id":{"type":"string"},"minimum_execution_duration":{"type":"number"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"rollout_duration_seconds":{"type":"number"},"sent_at":{"type":"string"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"total":{"type":"number"},"type":{"type":"string"}},"required":["id","type","data","created_at","ack_data"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create an agent action","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/migrate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/migrate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nMigrate a single agent to another cluster.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-migrate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"enrollment_token":{"type":"string"},"settings":{"additionalProperties":false,"type":"object","properties":{"ca_sha256":{"type":"string"},"certificate_authorities":{"type":"string"},"elastic_agent_cert":{"type":"string"},"elastic_agent_cert_key":{"type":"string"},"elastic_agent_cert_key_passphrase":{"type":"string"},"headers":{"additionalProperties":{"type":"string"},"type":"object"},"insecure":{"type":"boolean"},"proxy_disabled":{"type":"boolean"},"proxy_headers":{"additionalProperties":{"type":"string"},"type":"object"},"proxy_url":{"type":"string"},"replace_token":{"type":"string"},"staging":{"type":"string"},"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"}}},"uri":{"format":"uri","type":"string"}},"required":["uri","enrollment_token"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Migrate a single agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/privilege_level_change":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nChange the privilege level of a single agent to unprivileged.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-privilege-level-change","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The agent ID to change privilege level for","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"changeAgentPrivilegeLevelRequest":{"value":{"user_info":{"groupname":"groupname","password":"password","username":"username"}}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"user_info":{"additionalProperties":false,"type":"object","properties":{"groupname":{"type":"string"},"password":{"type":"string"},"username":{"type":"string"}}}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]},{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Change agent privilege level","tags":["Elastic Agents"],"x-state":"Technical Preview; added in 9.3.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/reassign":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/reassign\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-reassign","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"policy_id":{"type":"string"}},"required":["policy_id"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{}}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Reassign an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/request_diagnostics":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents-agentid-request-diagnostics","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"additional_metrics":{"items":{"enum":["CPU"],"type":"string"},"maxItems":1,"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Request agent diagnostics","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/rollback\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRollback an agent to the previous version.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The agent ID to rollback","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]},{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Rollback an agent","tags":["Elastic Agent actions"],"x-state":"Technical Preview; added in 9.4.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/unenroll":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/unenroll\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-unenroll","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"},"revoke":{"type":"boolean"}}}}}},"responses":{},"summary":"Unenroll an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/upgrade\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"type":"boolean"},"skipRateLimitCheck":{"type":"boolean"},"source_uri":{"type":"string"},"version":{"type":"string"}},"required":["version"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{}}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Upgrade an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/{agentId}/uploads":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/{agentId}/uploads\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-agentid-uploads","parameters":[{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"},"createTime":{"type":"string"},"error":{"type":"string"},"filePath":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"status":{"enum":["READY","AWAITING_UPLOAD","DELETED","EXPIRED","IN_PROGRESS","FAILED"],"type":"string"}},"required":["id","name","filePath","createTime","status","actionId"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agent uploads","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/action_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/action_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-action-status","parameters":[{"in":"query","name":"page","required":false,"schema":{"default":0,"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"date","required":false,"schema":{"type":"string"}},{"in":"query","name":"latest","required":false,"schema":{"type":"number"}},{"in":"query","name":"errorSize","required":false,"schema":{"default":5,"type":"number"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"},"cancellationTime":{"type":"string"},"completionTime":{"type":"string"},"creationTime":{"description":"creation time of action","type":"string"},"expiration":{"type":"string"},"hasRolloutPeriod":{"type":"boolean"},"is_automatic":{"type":"boolean"},"latestErrors":{"items":{"additionalProperties":false,"description":"latest errors that happened when the agents executed the action","type":"object","properties":{"agentId":{"type":"string"},"error":{"type":"string"},"hostname":{"type":"string"},"timestamp":{"type":"string"}},"required":["agentId","error","timestamp"]},"maxItems":10,"type":"array"},"nbAgentsAck":{"description":"number of agents that acknowledged the action","type":"number"},"nbAgentsActionCreated":{"description":"number of agents included in action from kibana","type":"number"},"nbAgentsActioned":{"description":"number of agents actioned","type":"number"},"nbAgentsFailed":{"description":"number of agents that failed to execute the action","type":"number"},"newPolicyId":{"description":"new policy id (POLICY_REASSIGN action)","type":"string"},"policyId":{"description":"policy id (POLICY_CHANGE action)","type":"string"},"revision":{"description":"new policy revision (POLICY_CHANGE action)","type":"number"},"startTime":{"description":"start time of action (scheduled actions)","type":"string"},"status":{"enum":["COMPLETE","EXPIRED","CANCELLED","FAILED","IN_PROGRESS","ROLLOUT_PASSED"],"type":"string"},"type":{"enum":["UPGRADE","UNENROLL","SETTINGS","POLICY_REASSIGN","CANCEL","FORCE_UNENROLL","REQUEST_DIAGNOSTICS","UPDATE_TAGS","POLICY_CHANGE","INPUT_ACTION","MIGRATE","PRIVILEGE_LEVEL_CHANGE"],"type":"string"},"version":{"description":"agent version number (UPGRADE action)","type":"string"}},"required":["actionId","nbAgentsActionCreated","nbAgentsAck","nbAgentsFailed","type","nbAgentsActioned","status","creationTime"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent action status","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/actions/{actionId}/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/actions/{actionId}/cancel\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-actions-actionid-cancel","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"actionId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"ack_data":{},"agents":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"created_at":{"type":"string"},"data":{},"expiration":{"type":"string"},"id":{"type":"string"},"minimum_execution_duration":{"type":"number"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"rollout_duration_seconds":{"type":"number"},"sent_at":{"type":"string"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"total":{"type":"number"},"type":{"type":"string"}},"required":["id","type","data","created_at","ack_data"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Cancel an agent action","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/available_versions":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/available_versions\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-available-versions","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get available agent versions","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_migrate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_migrate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nBulk migrate agents to another cluster.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-migrate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"enrollment_token":{"type":"string"},"settings":{"additionalProperties":false,"type":"object","properties":{"ca_sha256":{"type":"string"},"certificate_authorities":{"type":"string"},"elastic_agent_cert":{"type":"string"},"elastic_agent_cert_key":{"type":"string"},"elastic_agent_cert_key_passphrase":{"type":"string"},"headers":{"additionalProperties":{"type":"string"},"type":"object"},"insecure":{"type":"boolean"},"proxy_disabled":{"type":"boolean"},"proxy_headers":{"additionalProperties":{"type":"string"},"type":"object"},"proxy_url":{"type":"string"},"staging":{"type":"string"},"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"}}},"uri":{"format":"uri","type":"string"}},"required":["agents","uri","enrollment_token"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Migrate multiple agents","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_privilege_level_change":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_privilege_level_change\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nChange multiple agents' privilege level to unprivileged.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-privilege-level-change","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"bulkChangeAgentPrivilegeLevelRequest":{"value":{"agents":"agent","user_info":{"groupname":"groupname","password":"password","username":"username"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"user_info":{"additionalProperties":false,"type":"object","properties":{"groupname":{"type":"string"},"password":{"type":"string"},"username":{"type":"string"}}}},"required":["agents"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk change agent privilege level","tags":["Elastic Agents"],"x-state":"Technical Preview; added in 9.3.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_reassign":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_reassign\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-reassign","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"},"policy_id":{"type":"string"}},"required":["policy_id","agents"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk reassign agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_request_diagnostics":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_request_diagnostics\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents-bulk-request-diagnostics","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"additional_metrics":{"items":{"enum":["CPU"],"type":"string"},"maxItems":1,"type":"array"},"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk request diagnostics from agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_rollback\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRollback multiple agents to the previous version.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"bulkRollbackAgentsRequest":{"value":{"agents":["agent-1","agent-2"],"batchSize":100,"includeInactive":false}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"actionIds":["actionId1","actionId2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionIds":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["actionIds"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk rollback agents","tags":["Elastic Agent actions"],"x-state":"Technical Preview; added in 9.4.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_unenroll":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_unenroll\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-unenroll","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"description":"list of agent IDs","type":"string"},"maxItems":10000,"type":"array"},{"description":"KQL query string, leave empty to action all agents","type":"string"}]},"batchSize":{"type":"number"},"force":{"description":"Unenrolls hosted agents too","type":"boolean"},"includeInactive":{"description":"When passing agents by KQL query, unenrolls inactive agents too","type":"boolean"},"revoke":{"description":"Revokes API keys of agents","type":"boolean"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk unenroll agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_update_agent_tags":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_update_agent_tags\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-update-agent-tags","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"},"tagsToAdd":{"items":{"type":"string"},"maxItems":10,"type":"array"},"tagsToRemove":{"items":{"type":"string"},"maxItems":10,"type":"array"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk update agent tags","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/bulk_upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/bulk_upgrade\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"force":{"type":"boolean"},"includeInactive":{"default":false,"type":"boolean"},"rollout_duration_seconds":{"minimum":600,"type":"number"},"skipRateLimitCheck":{"type":"boolean"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"version":{"type":"string"}},"required":["agents","version"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk upgrade agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/files/{fileId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/files/{fileId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a file uploaded by an agent.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-agents-files-fileid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"fileId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"deleted":{"type":"boolean"},"id":{"type":"string"}},"required":["id","deleted"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete an uploaded file","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/files/{fileId}/{fileName}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a file uploaded by an agent.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-files-fileid-filename","parameters":[{"in":"path","name":"fileId","required":true,"schema":{"type":"string"}},{"in":"path","name":"fileName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an uploaded file","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/setup":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/setup\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"get-fleet-agents-setup","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing.","type":"object","properties":{"is_action_secrets_storage_enabled":{"type":"boolean"},"is_secrets_storage_enabled":{"type":"boolean"},"is_space_awareness_enabled":{"type":"boolean"},"is_ssl_secrets_storage_enabled":{"type":"boolean"},"isReady":{"type":"boolean"},"missing_optional_features":{"items":{"enum":["encrypted_saved_object_encryption_key_required"],"type":"string"},"maxItems":1,"type":"array"},"missing_requirements":{"items":{"enum":["security_required","tls_required","api_keys","fleet_admin_user","fleet_server"],"type":"string"},"maxItems":5,"type":"array"},"package_verification_key_id":{"type":"string"}},"required":["isReady","missing_requirements","missing_optional_features"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agent setup info","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/setup\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"post-fleet-agents-setup","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.","type":"object","properties":{"isInitialized":{"type":"boolean"},"nonFatalErrors":{"items":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"}},"required":["name","message"]},"maxItems":10000,"type":"array"}},"required":["isInitialized","nonFatalErrors"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Initiate agent setup","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/agents/tags":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/agents/tags\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-tags","parameters":[{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"showInactive","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get agent tags","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/check-permissions":{"get":{"operationId":"get-fleet-check-permissions","parameters":[{"in":"query","name":"fleetServerSetup","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"enum":["MISSING_SECURITY","MISSING_PRIVILEGES","MISSING_FLEET_SERVER_SETUP_PRIVILEGES"],"type":"string"},"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Check permissions","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/check-permissions\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/fleet/cloud_connectors":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors","parameters":[{"description":"The page number for pagination.","in":"query","name":"page","required":false,"schema":{"type":"string"}},{"description":"The number of items per page.","in":"query","name":"perPage","required":false,"schema":{"type":"string"}},{"description":"KQL query to filter cloud connectors.","in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{},"type":"object"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get cloud connectors","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"post-fleet-cloud-connectors","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"accountType":{"description":"The account type: single-account (single account/subscription) or organization-account (organization-wide).","enum":["single-account","organization-account"],"type":"string"},"cloudProvider":{"description":"The cloud provider type: aws, azure, or gcp.","enum":["aws","azure","gcp"],"type":"string"},"name":{"description":"The name of the cloud connector.","maxLength":255,"minLength":1,"type":"string"},"vars":{"additionalProperties":{"anyOf":[{"maxLength":1000,"type":"string"},{"type":"number"},{"type":"boolean"},{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"maxLength":50,"type":"string"},"value":{"anyOf":[{"maxLength":1000,"type":"string"},{"additionalProperties":false,"type":"object","properties":{"id":{"maxLength":255,"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["isSecretRef","id"]}]}},"required":["type","value"]}]},"type":"object"}},"required":["name","cloudProvider","vars"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{},"type":"object"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/cloud_connectors/{cloudConnectorId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"delete-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the cloud connector to delete.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}},{"description":"If true, forces deletion even if the cloud connector is in use.","in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete cloud connector (supports force deletion)","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"The unique identifier of the cloud connector.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{},"type":"object"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"put-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the cloud connector to update.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"accountType":{"description":"The account type: single-account (single account/subscription) or organization-account (organization-wide).","enum":["single-account","organization-account"],"type":"string"},"name":{"description":"The name of the cloud connector.","maxLength":255,"minLength":1,"type":"string"},"vars":{"additionalProperties":{"anyOf":[{"maxLength":1000,"type":"string"},{"type":"number"},{"type":"boolean"},{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"maxLength":50,"type":"string"},"value":{"anyOf":[{"maxLength":1000,"type":"string"},{"additionalProperties":false,"type":"object","properties":{"id":{"maxLength":255,"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["isSecretRef","id"]}]}},"required":["type","value"]}]},"type":"object"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{},"type":"object"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/cloud_connectors/{cloudConnectorId}/usage":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors-cloudconnectorid-usage","parameters":[{"description":"The unique identifier of the cloud connector.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}},{"description":"The page number for pagination.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"The number of items per page.","in":"query","name":"perPage","required":false,"schema":{"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getCloudConnectorUsageResponseExample":{"description":"Example response showing package policies using the cloud connector","value":{"items":[{"created_at":"2025-01-16T09:00:00.000Z","id":"package-policy-1","name":"CSPM AWS Policy","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"policy_ids":["policy-id-123","policy-id-456"],"updated_at":"2025-01-16T09:00:00.000Z"}],"page":1,"perPage":20,"total":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}},"required":["name","title","version"]},"policy_ids":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"updated_at":{"type":"string"}},"required":["id","name","policy_ids","created_at","updated_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"Cloud connector not found","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get cloud connector usage (package policies using the connector)","tags":["Fleet cloud connectors"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/data_streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/data_streams\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.","operationId":"get-fleet-data-streams","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"data_streams":{"items":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"title":{"type":"string"}},"required":["id","title"]},"maxItems":10000,"type":"array"},"dataset":{"type":"string"},"index":{"type":"string"},"last_activity_ms":{"type":"number"},"namespace":{"type":"string"},"package":{"type":"string"},"package_version":{"type":"string"},"serviceDetails":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"environment":{"type":"string"},"serviceName":{"type":"string"}},"required":["environment","serviceName"]},"size_in_bytes":{"type":"number"},"size_in_bytes_formatted":{"anyOf":[{"type":"number"},{"type":"string"}]},"type":{"type":"string"}},"required":["index","dataset","namespace","type","package","package_version","last_activity_ms","size_in_bytes","size_in_bytes_formatted","dashboards","serviceDetails"]},"maxItems":10000,"type":"array"}},"required":["data_streams"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get data streams","tags":["Data streams"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/enrollment_api_keys":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/enrollment_api_keys\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.","operationId":"get-fleet-enrollment-api-keys","parameters":[{"in":"query","name":"page","required":false,"schema":{"default":1,"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]},"maxItems":10000,"type":"array"},"list":{"deprecated":true,"items":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage","list"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get enrollment API keys","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/enrollment_api_keys\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-enrollment-api-keys","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"expiration":{"type":"string"},"name":{"type":"string"},"policy_id":{"type":"string"}},"required":["policy_id"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["created"],"type":"string"},"item":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]}},"required":["item","action"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/enrollment_api_keys/{keyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/enrollment_api_keys/{keyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRevoke an enrollment API key by ID by marking it as inactive.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-enrollment-api-keys-keyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"keyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["deleted"],"type":"string"}},"required":["action"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Revoke an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/enrollment_api_keys/{keyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet an enrollment API key by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.","operationId":"get-fleet-enrollment-api-keys-keyid","parameters":[{"in":"path","name":"keyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/bulk_assets":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/bulk_assets\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"post-fleet-epm-bulk-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"assetIds":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"}},"required":["assetIds"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"appLink":{"type":"string"},"attributes":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"service":{"type":"string"},"title":{"type":"string"}}},"id":{"type":"string"},"type":{"type":"string"},"updatedAt":{"type":"string"}},"required":["id","type","attributes"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk get assets","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/categories":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/categories\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-categories","parameters":[{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"include_policy_templates","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"id":{"type":"string"},"parent_id":{"type":"string"},"parent_title":{"type":"string"},"title":{"type":"string"}},"required":["id","title","count"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get package categories","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/custom_integrations":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/custom_integrations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-custom-integrations","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"datasets":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"type":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},"required":["name","type"]},"maxItems":10,"type":"array"},"force":{"type":"boolean"},"integrationName":{"type":"string"}},"required":["integrationName","datasets"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create a custom integration","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/custom_integrations/{pkgName}":{"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all AND integrations-all.","operationId":"put-fleet-epm-custom-integrations-pkgname","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"categories":{"items":{"type":"string"},"maxItems":10,"type":"array"},"readMeData":{"type":"string"}},"required":["readMeData"]}}}},"responses":{"200":{"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update a custom integration","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/data_streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/data_streams\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-data-streams","parameters":[{"in":"query","name":"type","required":false,"schema":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},{"in":"query","name":"datasetQuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"default":"asc","enum":["asc","desc"],"type":"string"}},{"in":"query","name":"uncategorisedOnly","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get data streams","tags":["Data streams"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages","parameters":[{"in":"query","name":"category","required":false,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"excludeInstallStatus","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"withPackagePoliciesCount","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":true,"type":"object","properties":{"categories":{"items":{"type":"string"},"maxItems":10,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"}}},"download":{"type":"string"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"id":{"type":"string"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"integration":{"type":"string"},"internal":{"type":"boolean"},"latestVersion":{"type":"string"},"name":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{},"type":"object"},"maxItems":100,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"vars":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","id"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"ignoreMappingUpdateErrors","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"skipDataStreamRollover","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/gzip; application/zip":{"schema":{"format":"binary","type":"string"}}}},"responses":{"200":{"content":{"application/gzip; application/zip":{"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"OK: A successful request."},"400":{"content":{"application/gzip; application/zip":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Install a package by upload","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"prerelease":{"type":"boolean"},"version":{"type":"string"}},"required":["name","version"]}]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"result":{"additionalProperties":false,"type":"object","properties":{"assets":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"},"error":{},"installSource":{"type":"string"},"installType":{"type":"string"},"status":{"enum":["installed","already_installed"],"type":"string"}},"required":["error","installType"]},"version":{"type":"string"}},"required":["name","version","result"]},{"additionalProperties":false,"type":"object","properties":{"error":{"anyOf":[{"type":"string"},{}]},"name":{"type":"string"},"statusCode":{"type":"number"}},"required":["name","statusCode","error"]}]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk install packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_rollback\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"bulkRollbackRequest":{"value":{"packages":[{"name":"system"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"Package name to rollback","type":"string"}},"required":["name"]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"taskId":"taskId"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk rollback packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_rollback/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-rollback-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"status":"success"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get Bulk rollback packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_uninstall":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_uninstall\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-uninstall","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk uninstall packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_uninstall/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-uninstall-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get Bulk uninstall packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_upgrade\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name"]},"maxItems":1000,"minItems":1,"type":"array"},"prerelease":{"type":"boolean"},"upgrade_package_policies":{"default":false,"type":"boolean"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk upgrade packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/_bulk_upgrade/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-upgrade-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get Bulk upgrade packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":false,"schema":{"type":"string"}},{"in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"get-fleet-epm-packages-pkgname-pkgversion","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":false,"schema":{"type":"string"}},{"in":"query","name":"ignoreUnverified","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"full","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"withMetadata","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":10,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":10,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{},"type":"object"},"maxItems":100,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"vars":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]},"metadata":{"additionalProperties":false,"type":"object","properties":{"has_policies":{"type":"boolean"}},"required":["has_policies"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":false,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"ignoreMappingUpdateErrors","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"skipDataStreamRollover","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"ignore_constraints":{"default":false,"type":"boolean"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Install a package from the registry","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"put-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"keepPoliciesUpToDate":{"type":"boolean"}},"required":["keepPoliciesUpToDate"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":10,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":10,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{},"type":"object"},"maxItems":100,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"vars":{"items":{"additionalProperties":{},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update package settings","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-pkgname-pkgversion-filepath","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"path","name":"filePath","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a package file","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"packagePolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete assets for an input package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete Kibana assets for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion-kibana-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"},"space_ids":{"description":"When provided install assets in the specified spaces instead of the current space.","items":{"type":"string"},"maxItems":100,"minItems":1,"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Install Kibana assets for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion-rule-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Install Kibana alert rule for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize":{"post":{"operationId":"post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"transforms":{"items":{"additionalProperties":false,"type":"object","properties":{"transformId":{"type":"string"}},"required":["transformId"]},"maxItems":1000,"type":"array"}},"required":["transforms"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"nullable":true},"success":{"type":"boolean"},"transformId":{"type":"string"}},"required":["transformId","success","error"]},"maxItems":10000,"type":"array"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Authorize transforms","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/fleet/epm/packages/{pkgName}/rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Package name to roll back","in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"successResponse":{"value":{"success":true,"version":"1.0.0"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"},"version":{"type":"string"}},"required":["version","success"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Rollback a package to previous version","tags":["Elastic Package Manager (EPM)"],"x-state":"Technical Preview; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/{pkgName}/stats":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/{pkgName}/stats\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-pkgname-stats","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"response":{"additionalProperties":false,"type":"object","properties":{"agent_policy_count":{"type":"number"},"package_policy_count":{"type":"number"}},"required":["agent_policy_count","package_policy_count"]}},"required":["response"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get package stats","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/installed":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/installed\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-installed","parameters":[{"in":"query","name":"dataStreamType","required":false,"schema":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},{"in":"query","name":"showOnlyActiveDataStreams","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"nameQuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"searchAfter","required":false,"schema":{"items":{"anyOf":[{"type":"string"},{"type":"number"}]},"maxItems":10,"type":"array"}},{"in":"query","name":"perPage","required":false,"schema":{"default":15,"type":"number"}},{"in":"query","name":"sortOrder","required":false,"schema":{"default":"asc","enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"dataStreams":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"}},"required":["name","title"]},"maxItems":10000,"type":"array"},"description":{"type":"string"},"icons":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"status":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}},"required":["name","version","status","dataStreams"]},"maxItems":10000,"type":"array"},"searchAfter":{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":[],"nullable":true},{}]},"maxItems":2,"type":"array"},"total":{"type":"number"}},"required":["items","total"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get installed packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/packages/limited":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/packages/limited\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-limited","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a limited package list","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-templates-pkgname-pkgversion-inputs","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"default":"json","enum":["json","yml","yaml"],"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"ignoreUnverified","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["id","data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"}},"required":["inputs"]}]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an inputs template","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/epm/verification_key_id":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/epm/verification_key_id\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-verification-key-id","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"nullable":true,"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a package signature verification key ID","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/fleet_server_hosts":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/fleet_server_hosts\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.","operationId":"get-fleet-fleet-server-hosts","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get Fleet Server hosts","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/fleet_server_hosts\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-fleet-server-hosts","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/fleet_server_hosts/{itemId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/fleet_server_hosts/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a Fleet Server host by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-fleet-server-hosts-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/fleet_server_hosts/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a Fleet Server host by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-fleet-server-hosts-itemid","parameters":[{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/fleet_server_hosts/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a Fleet Server host by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-fleet-server-hosts-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"is_default":{"type":"boolean"},"is_internal":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["proxy_id"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/health_check":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/health_check\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-health-check","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"host_id":{"type":"string"},"name":{"type":"string"},"status":{"type":"string"}},"required":["status"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not found."}},"summary":"Check Fleet Server health","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/kubernetes":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/kubernetes\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-kubernetes","parameters":[{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"fleetServer","required":false,"schema":{"type":"string"}},{"in":"query","name":"enrolToken","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"type":"string"}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a full K8s agent manifest","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/kubernetes/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/kubernetes/download\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-kubernetes-download","parameters":[{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"fleetServer","required":false,"schema":{"type":"string"}},{"in":"query","name":"enrolToken","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"string"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not found."}},"summary":"Download an agent manifest","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/logstash_api_keys":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/logstash_api_keys\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-logstash-api-keys","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"api_key":{"type":"string"}},"required":["api_key"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Generate a Logstash API key","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/message_signing_service/rotate_key_pair":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/message_signing_service/rotate_key_pair\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.","operationId":"post-fleet-message-signing-service-rotate-key-pair","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"acknowledge","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"500":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"An internal server error."}},"summary":"Rotate a Fleet message signing key pair","tags":["Message Signing Service"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/outputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.","operationId":"get-fleet-outputs","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":true,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":true,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","type","hosts","compression_level","auth_type","connection_type","username","password"]}]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get outputs","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-outputs","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"]},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":false,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","type","hosts","compression_level","auth_type","connection_type","username","password"]}]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":true,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":true,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","type","hosts","compression_level","auth_type","connection_type","username","password"]}]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/outputs/{outputId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs/{outputId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete output by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-outputs-outputid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not found."}},"summary":"Delete output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs/{outputId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet output by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.","operationId":"get-fleet-outputs-outputid","parameters":[{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":true,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":true,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","type","hosts","compression_level","auth_type","connection_type","username","password"]}]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs/{outputId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate output by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.","operationId":"put-fleet-outputs-outputid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}}},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}}},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}}},{"additionalProperties":false,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":false,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","compression_level","connection_type","username","password"]}]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"]},{"additionalProperties":true,"type":"object","properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"number"},{"not":{}}]},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":["plaintext","encryption"],"type":"string"},{"not":{}}]},"hash":{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":true,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"not":{}},{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]}]},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":true,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"]},"ssl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}}},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"type":"string"},{"not":{}}]},"version":{"type":"string"}},"required":["name","type","hosts","compression_level","auth_type","connection_type","username","password"]}]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/outputs/{outputId}/health":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/outputs/{outputId}/health\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-outputs-outputid-health","parameters":[{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"long message if unhealthy","type":"string"},"state":{"description":"state of output, HEALTHY or DEGRADED","type":"string"},"timestamp":{"description":"timestamp of reported state","type":"string"}},"required":["state","message","timestamp"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get the latest output health","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/package_policies":{"get":{"operationId":"get-fleet-package-policies","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"type":"number"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["desc","asc"],"type":"string"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}},{"in":"query","name":"withAgentCount","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"post":{"operationId":"post-fleet-package-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"description":{"description":"Package policy description","type":"string"},"enabled":{"type":"boolean"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Package policy unique identifier","type":"string"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled"]},"maxItems":1000,"type":"array"},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["name","inputs"]},{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Deprecated. Use policy_ids instead.","nullable":true,"type":"string"},"policy_ids":{"description":"IDs of the agent policies which that package policy will be added to.","items":{"type":"string"},"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}],"description":"You should use inputs as an object and not use the deprecated inputs array."}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"409":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A conflict occurred."}},"summary":"Create a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/fleet/package_policies/_bulk_get":{"post":{"operationId":"post-fleet-package-policies-bulk-get","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"},"ignoreMissing":{"type":"boolean"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not found."}},"summary":"Bulk get package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/_bulk_get\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/fleet/package_policies/{packagePolicyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/{packagePolicyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a package policy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"delete-fleet-package-policies-packagepolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/{packagePolicyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a package policy by ID.","operationId":"get-fleet-package-policies-packagepolicyid","parameters":[{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not found."}},"summary":"Get a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/{packagePolicyId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a package policy by ID.","operationId":"put-fleet-package-policies-packagepolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"description":{"description":"Package policy description","type":"string"},"enabled":{"type":"boolean"},"force":{"type":"boolean"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled"]},"maxItems":100,"type":"array"},"is_managed":{"type":"boolean"},"name":{"type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"version":{"type":"string"}}},{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Deprecated. Use policy_ids instead.","nullable":true,"type":"string"},"policy_ids":{"description":"IDs of the agent policies which that package policy will be added to.","items":{"type":"string"},"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"403":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Forbidden."}},"summary":"Update a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/package_policies/delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"post-fleet-package-policies-delete","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"type":"boolean"},"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"id":{"type":"string"},"name":{"type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Use `policy_ids` instead","nullable":true,"type":"string"},"policy_ids":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"statusCode":{"type":"number"},"success":{"type":"boolean"}},"required":["id","success","policy_ids","package"]},"maxItems":10000,"type":"array"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk delete package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/package_policies/upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/upgrade\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpgrade a package policy to a newer package version.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"post-fleet-package-policies-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"id":{"type":"string"},"name":{"type":"string"},"statusCode":{"type":"number"},"success":{"type":"boolean"}},"required":["id","success"]},"maxItems":10000,"type":"array"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Upgrade a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/package_policies/upgrade/dryrun":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/package_policies/upgrade/dryrun\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.","operationId":"post-fleet-package-policies-upgrade-dryrun","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"packageVersion":{"type":"string"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"agent_diff":{"items":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"namespace":{"type":"string"}},"required":["namespace"]},"id":{"type":"string"},"meta":{"additionalProperties":true,"type":"object","properties":{"package":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]}},"required":["package"]},"name":{"type":"string"},"package_policy_id":{"type":"string"},"processors":{"items":{"additionalProperties":true,"type":"object","properties":{"add_fields":{"additionalProperties":true,"type":"object","properties":{"fields":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"}]},"type":"object"},"target":{"type":"string"}},"required":["target","fields"]}},"required":["add_fields"]},"maxItems":10000,"type":"array"},"revision":{"type":"number"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"},"use_output":{"type":"string"}},"required":["id","name","revision","type","data_stream","use_output","package_policy_id"]},"maxItems":10000,"type":"array"},"maxItems":1,"type":"array"},"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"diff":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"id":{"type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"boolean"},{"type":"string"},{"type":"number"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","revision","updated_at","updated_by","created_at","created_by"]},{"additionalProperties":true,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"errors":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"message":{"type":"string"}},"required":["message"]},"maxItems":10,"type":"array"},"force":{"type":"boolean"},"id":{"type":"string"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset","type"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":100,"type":"array"},"type":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},"is_managed":{"type":"boolean"},"missingVars":{"items":{"type":"string"},"maxItems":100,"type":"array"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"type":"array"},"revision":{"type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs"]}]},"maxItems":2,"type":"array"},"hasErrors":{"type":"boolean"},"name":{"type":"string"},"statusCode":{"type":"number"}},"required":["hasErrors"]},"maxItems":10000,"type":"array"}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Dry run a package policy upgrade","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/proxies":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/proxies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-proxies","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get proxies","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/proxies\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-proxies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["url","name"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/proxies/{itemId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/proxies/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a proxy by ID\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-proxies-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Delete a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/proxies/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a proxy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-proxies-itemid","parameters":[{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/proxies/{itemId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a proxy by ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-proxies-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["certificate_authorities","certificate","certificate_key"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Update a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/remote_synced_integrations/{outputId}/remote_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.","operationId":"get-fleet-remote-synced-integrations-outputid-remote-status","parameters":[{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"custom_assets":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"string"},"is_deleted":{"type":"boolean"},"name":{"type":"string"},"package_name":{"type":"string"},"package_version":{"type":"string"},"sync_status":{"enum":["completed","synchronizing","failed","warning"],"type":"string"},"type":{"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["type","name","package_name","package_version","sync_status"]},"type":"object"},"error":{"type":"string"},"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"string"},"id":{"type":"string"},"install_status":{"additionalProperties":false,"type":"object","properties":{"main":{"type":"string"},"remote":{"type":"string"}},"required":["main"]},"package_name":{"type":"string"},"package_version":{"type":"string"},"sync_status":{"enum":["completed","synchronizing","failed","warning"],"type":"string"},"updated_at":{"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["sync_status","install_status"]},"maxItems":10000,"type":"array"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["integrations"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get remote synced integrations status by outputId","tags":["Fleet remote synced integrations"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/remote_synced_integrations/status":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/remote_synced_integrations/status\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.","operationId":"get-fleet-remote-synced-integrations-status","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"custom_assets":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"string"},"is_deleted":{"type":"boolean"},"name":{"type":"string"},"package_name":{"type":"string"},"package_version":{"type":"string"},"sync_status":{"enum":["completed","synchronizing","failed","warning"],"type":"string"},"type":{"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["type","name","package_name","package_version","sync_status"]},"type":"object"},"error":{"type":"string"},"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"string"},"id":{"type":"string"},"install_status":{"additionalProperties":false,"type":"object","properties":{"main":{"type":"string"},"remote":{"type":"string"}},"required":["main"]},"package_name":{"type":"string"},"package_version":{"type":"string"},"sync_status":{"enum":["completed","synchronizing","failed","warning"],"type":"string"},"updated_at":{"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["sync_status","install_status"]},"maxItems":10000,"type":"array"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}},"required":["title"]}},"required":["integrations"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get remote synced integrations status","tags":["Fleet remote synced integrations"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/service_tokens":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/service_tokens\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-service-tokens","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"remote":{"default":false,"type":"boolean"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Create a service token","tags":["Fleet service tokens"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/settings":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-settings","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"action_secret_storage_requirements_met":{"type":"boolean"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"has_seen_add_data_notice":{"type":"boolean"},"id":{"type":"string"},"ilm_migration_status":{"additionalProperties":false,"type":"object","properties":{"logs":{"enum":["success"],"nullable":true,"type":"string"},"metrics":{"enum":["success"],"nullable":true,"type":"string"},"synthetics":{"enum":["success"],"nullable":true,"type":"string"}}},"integration_knowledge_enabled":{"type":"boolean"},"output_secret_storage_requirements_met":{"type":"boolean"},"preconfigured_fields":{"items":{"enum":["fleet_server_hosts"],"type":"string"},"maxItems":1,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"},"secret_storage_requirements_met":{"type":"boolean"},"ssl_secret_storage_requirements_met":{"type":"boolean"},"use_space_awareness_migration_started_at":{"nullable":true,"type":"string"},"use_space_awareness_migration_status":{"enum":["pending","success","error"],"type":"string"},"version":{"type":"string"}}}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not found."}},"summary":"Get settings","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-settings","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"additional_yaml_config":{"deprecated":true,"type":"string"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"has_seen_add_data_notice":{"deprecated":true,"type":"boolean"},"integration_knowledge_enabled":{"type":"boolean"},"kibana_ca_sha256":{"deprecated":true,"type":"string"},"kibana_urls":{"deprecated":true,"items":{"format":"uri","type":"string"},"maxItems":10,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"action_secret_storage_requirements_met":{"type":"boolean"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"has_seen_add_data_notice":{"type":"boolean"},"id":{"type":"string"},"ilm_migration_status":{"additionalProperties":false,"type":"object","properties":{"logs":{"enum":["success"],"nullable":true,"type":"string"},"metrics":{"enum":["success"],"nullable":true,"type":"string"},"synthetics":{"enum":["success"],"nullable":true,"type":"string"}}},"integration_knowledge_enabled":{"type":"boolean"},"output_secret_storage_requirements_met":{"type":"boolean"},"preconfigured_fields":{"items":{"enum":["fleet_server_hosts"],"type":"string"},"maxItems":1,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"},"secret_storage_requirements_met":{"type":"boolean"},"ssl_secret_storage_requirements_met":{"type":"boolean"},"use_space_awareness_migration_started_at":{"nullable":true,"type":"string"},"use_space_awareness_migration_status":{"enum":["pending","success","error"],"type":"string"},"version":{"type":"string"}}}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"404":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not found."}},"summary":"Update settings","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/setup":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/setup\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"post-fleet-setup","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.","type":"object","properties":{"isInitialized":{"type":"boolean"},"nonFatalErrors":{"items":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"}},"required":["name","message"]},"maxItems":10000,"type":"array"}},"required":["isInitialized","nonFatalErrors"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."},"500":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Internal Server Error","type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"An internal server error occurred."}},"summary":"Initiate Fleet setup","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/space_settings":{"get":{"operationId":"get-fleet-space-settings","parameters":[],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":100,"type":"array"},"managed_by":{"type":"string"}},"required":["allowed_namespace_prefixes"]}},"required":["item"]}}},"description":"OK: A successful request."}},"summary":"Get space settings","tags":[],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/space_settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/space_settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-space-settings","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":10,"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":100,"type":"array"},"managed_by":{"type":"string"}},"required":["allowed_namespace_prefixes"]}},"required":["item"]}}},"description":"OK: A successful request."}},"summary":"Create space settings","tags":[],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/uninstall_tokens":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/uninstall_tokens\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nList the metadata for the latest uninstall tokens per agent policy.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"get-fleet-uninstall-tokens","parameters":[{"description":"Partial match filtering for policy IDs","in":"query","name":"policyId","required":false,"schema":{"maxLength":50,"type":"string"}},{"in":"query","name":"search","required":false,"schema":{"maxLength":50,"type":"string"}},{"description":"The number of items to return","in":"query","name":"perPage","required":false,"schema":{"minimum":5,"type":"number"}},{"in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"policy_id":{"type":"string"},"policy_name":{"nullable":true,"type":"string"}},"required":["id","policy_id","created_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get metadata for latest uninstall tokens","tags":["Fleet uninstall tokens"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/fleet/uninstall_tokens/{uninstallTokenId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet one decrypted uninstall token by its ID.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: fleet-agents-all.","operationId":"get-fleet-uninstall-tokens-uninstalltokenid","parameters":[{"in":"path","name":"uninstallTokenId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"policy_id":{"type":"string"},"policy_name":{"nullable":true,"type":"string"},"token":{"type":"string"}},"required":["id","policy_id","created_at","token"]}},"required":["item"]}}},"description":"OK: A successful request."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get a decrypted uninstall token","tags":["Fleet uninstall tokens"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a value list using the list ID.\n\u003e info\n\u003e When you delete a list, all of its list items are also deleted.\n","operationId":"DeleteList","parameters":[{"in":"query","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"Determines whether exception items referencing this value list should be deleted.","in":"query","name":"deleteReferences","required":false,"schema":{"default":false,"example":false,"type":"boolean"}},{"description":"Determines whether to delete value list without performing any additional checks of where this list may be utilized.","in":"query","name":"ignoreReferences","required":false,"schema":{"default":false,"example":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ipList":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"List of bad internet ips.","id":"21b01cfb-058d-44b9-838c-282be16c91cd","immutable":false,"name":"Bad ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:39:39.292Z","updated_by":"elastic","version":3}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"ip_list\\\" was not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a value list using the list ID.","operationId":"ReadList","parameters":[{"in":"query","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"My bad ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:21:53.843Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list details","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate specific fields of an existing list using the list `id`.","operationId":"PatchList","requestBody":{"content":{"application/json":{"schema":{"example":{"id":"ip_list","name":"Bad ips list - UPDATED"},"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"description":{"$ref":"#/components/schemas/Security_Lists_API_ListDescription"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListMetadata"},"name":{"$ref":"#/components/schemas/Security_Lists_API_ListName"},"version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersion"}},"required":["id"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ips","id":"ip_list","immutable":false,"name":"Bad ips list - UPDATED","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:21:53.843Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: name: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Patch a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new value list.","operationId":"CreateList","requestBody":{"content":{"application/json":{"examples":{"ip":{"value":{"description":"This list describes bad internet ips","id":"ip_list","name":"Simple list with ips","type":"ip"}},"ip_range":{"value":{"description":"This list has ip ranges","id":"ip_range_list","name":"Simple list with ip ranges","type":"ip_range"}},"keyword":{"value":{"description":"This list describes bad host names","id":"keyword_list","name":"Simple list with a keyword","type":"keyword"}},"keyword_custom_format":{"value":{"description":"This parses the first found ipv4 only","deserializer":"{{value}}","id":"keyword_custom_format_list","name":"Simple list with a keyword using a custom format","serializer":"(?\u003cvalue\u003e((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))","type":"keyword"}}},"schema":{"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Lists_API_ListDescription"},"deserializer":{"$ref":"#/components/schemas/Security_Lists_API_ListDeserializer"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListMetadata"},"name":{"$ref":"#/components/schemas/Security_Lists_API_ListName"},"serializer":{"$ref":"#/components/schemas/Security_Lists_API_ListSerializer"},"type":{"$ref":"#/components/schemas/Security_Lists_API_ListType"},"version":{"default":1,"minimum":1,"type":"integer"}},"required":["name","description","type"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ips","id":"ip_list","immutable":false,"name":"Simple list with ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z","updated_by":"elastic","version":1}},"ip_range":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-09T18:23:52.241Z","created_at":"2025-01-09T18:23:52.241Z","created_by":"elastic","description":"This list has ip ranges","id":"ip_range_list","immutable":false,"name":"Simple list with ip ranges","tie_breaker_id":"74aebdaf-601f-4940-b351-155728ff7003","type":"ip_range","updated_at":"2025-01-09T18:23:52.241Z","updated_by":"elastic","version":1}},"keyword":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-09T18:24:55.786Z","created_at":"2025-01-09T18:24:55.786Z","created_by":"elastic","description":"This list describes bad host names","id":"keyword_list","immutable":false,"name":"Simple list with a keyword","tie_breaker_id":"f7e7dbaa-daf7-4c9a-a3dc-56643923ef68","type":"keyword","updated_at":"2025-01-09T18:24:55.786Z","updated_by":"elastic","version":1}},"keyword_custom_format":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-09T18:25:39.604Z","created_at":"2025-01-09T18:25:39.604Z","created_by":"elastic","description":"This parses the first found ipv4 only","deserializer":"{{value}}","id":"keyword_custom_format_list","immutable":false,"name":"Simple list with a keyword using a custom format","serializer":"(?\u003cvalue\u003e((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))","tie_breaker_id":"8247ae63-b780-47b8-9a89-948b643e9ec2","type":"keyword","updated_at":"2025-01-09T18:25:39.604Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"To create a list, the data stream must exist first. Data stream \\\".lists-default\\\" does not exist","status_code":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"list id: \"keyword_custom_format_list\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List already exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted.\n\u003e info\n\u003e You cannot modify the `id` value.\n","operationId":"UpdateList","requestBody":{"content":{"application/json":{"schema":{"example":{"description":"Latest list of bad ips","id":"ip_list","name":"Bad ips - updated"},"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"description":{"$ref":"#/components/schemas/Security_Lists_API_ListDescription"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListMetadata"},"name":{"$ref":"#/components/schemas/Security_Lists_API_ListName"},"version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersion"}},"required":["id","name","description"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"Latest list of bad ips","id":"ip_list","immutable":false,"name":"Bad ips - updated","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:39:39.292Z","updated_by":"elastic","version":3}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a paginated subset of value lists. By default, the first page is returned, with 20 results per page.","operationId":"FindLists","parameters":[{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"example":1,"type":"integer"}},{"description":"The number of value lists to return per page.","in":"query","name":"per_page","required":false,"schema":{"example":20,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"name","format":"nonempty","minLength":1,"type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"asc","type":"string"}},{"description":"Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly.","in":"query","name":"cursor","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_FindListsCursor"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the \u003cfield name\u003e:\u003cfield value\u003e syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_FindListsFilter"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ipList":{"value":{"cursor":"WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d","data":[{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z\n","created_at":"2025-01-08T04:47:34.273Z\n","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"Simple list with an ip","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z\n","updated_by":"elastic","version":1}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"cursor":{"$ref":"#/components/schemas/Security_Lists_API_FindListsCursor"},"data":{"items":{"$ref":"#/components/schemas/Security_Lists_API_List"},"type":"array"},"page":{"minimum":0,"type":"integer"},"per_page":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total","cursor"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: page: Expected number, received nan","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/lists/_find?page=1\u0026per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value lists","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/index":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete the `.lists` and `.items` data streams.","operationId":"DeleteListIndex","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete value list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nVerify that `.lists` and `.items` data streams exist.","operationId":"ReadListIndex","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"list_index":{"type":"boolean"},"list_item_index":{"type":"boolean"}},"required":["list_index","list_item_index"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream(s) not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get status of value list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/index\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate `.lists` and `.items` data streams in the relevant space.","operationId":"CreateListIndex","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]\n","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"data stream: \\\".lists-default\\\" and \\\".items-default\\\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a value list item using its `id`, or its `list_id` and `value` fields.","operationId":"DeleteListItem","parameters":[{"description":"Value list item's identifier. Required if `list_id` and `value` are not specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListItemId"}},{"description":"Value list's identifier. Required if `id` is not specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"The value used to evaluate exceptions. Required if `id` is not specified.","in":"query","name":"value","required":false,"schema":{"example":"255.255.255.255","type":"string"}},{"description":"Determines when changes made by the request are made visible to search.","in":"query","name":"refresh","required":false,"schema":{"default":"false","enum":["true","false","wait_for"],"example":false,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzIwLDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:44:14.009Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_ListItem"},{"items":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"},"type":"array"}]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"message":"Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request","status_code":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list item with id: \\\"pd1WRJQBs4HAK3VQeHFI\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a value list item.","operationId":"ReadListItem","parameters":[{"description":"Value list item identifier. Required if `list_id` and `value` are not specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"Value list item list's `id` identfier. Required if `id` is not specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"The value used to evaluate exceptions. Required if `id` is not specified.","in":"query","name":"value","required":false,"schema":{"example":"127.0.0.2","type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzExLDFd","@timestamp":"2025-01-08T05:16:25.882Z","created_at":"2025-01-08T05:16:25.882Z","created_by":"elastic","id":"qN1XRJQBs4HAK3VQs3Gc","list_id":"ip_list","tie_breaker_id":"a9a34c02-a385-436e-86a0-02a3942f3537","type":"ip","updated_at":"2025-01-08T05:16:25.882Z","updated_by":"elastic","value":"127.0.0.2"}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_ListItem"},{"items":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"},"type":"array"}]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"message":"Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request","status_code":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate specific fields of an existing value list item using the item `id`.","operationId":"PatchListItem","requestBody":{"content":{"application/json":{"schema":{"example":{"id":"pd1WRJQBs4HAK3VQeHFI","value":"255.255.255.255"},"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListItemId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListItemMetadata"},"refresh":{"description":"Determines when changes made by the request are made visible to search.","enum":["true","false","wait_for"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Lists_API_ListItemValue"}},"required":["id"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ipItem":{"value":{"_version":"WzE5LDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:23:37.602Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"message":"{\"took\":15,\"timed_out\":false,\"total\":1,\"updated\":0,\"deleted\":0,\"batches\":1,\"version_conflicts\":0,\"noops\":0,\"retries\":{\"bulk\":0,\"search\":0},\"throttled_millis\":0,\"requests_per_second\":-1,\"throttled_until_millis\":0,\"failures\":[{\"index\":\".ds-.items-default-2025.01.09-000001\",\"id\":\"ip_item\",\"cause\":{\"type\":\"document_parsing_exception\",\"reason\":\"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"2 is not an IP string literal.\"}},\"status\":400}]}","status_code":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Patch a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a value list item and associate it with the specified value list.\n\nAll value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address.\n\u003e info\n\u003e Before creating a list item, you must create a list.\n","operationId":"CreateListItem","requestBody":{"content":{"application/json":{"examples":{"ip":{"value":{"list_id":"ip_list","value":"127.0.0.1"}},"ip_range":{"value":{"list_id":"ip_range_list","value":"192.168.0.0/16"}},"keyword":{"value":{"list_id":"keyword_list","value":"zeek"}}},"schema":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Lists_API_ListItemId"},"list_id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListItemMetadata"},"refresh":{"description":"Determines when changes made by the request are made visible to search.","enum":["true","false","wait_for"],"example":"wait_for","type":"string"},"value":{"$ref":"#/components/schemas/Security_Lists_API_ListItemValue"}},"required":["list_id","value"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:59:06.154Z","created_at":"2025-01-08T04:59:06.154Z","created_by":"elastic","id":"21b01cfb-058d-44b9-838c-282be16c91cc","list_id":"ip_list","tie_breaker_id":"b57c762c-3036-465c-9bfb-7bfb5e6e515a","type":"ip","updated_at":"2025-01-08T04:59:06.154Z","updated_by":"elastic","value":"127.0.0.1"}},"ip_range":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-09T18:33:08.202Z","created_at":"2025-01-09T18:33:08.202Z","created_by":"elastic","id":"ip_range_item","list_id":"ip_range_list","tie_breaker_id":"ea1b4189-efda-4637-b8f9-74655a5ebb61","type":"ip_range","updated_at":"2025-01-09T18:33:08.202Z","updated_by":"elastic","value":"192.168.0.0/16"}},"keyword":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-09T18:34:29.422Z","created_at":"2025-01-09T18:34:29.422Z","created_by":"elastic","id":"7f24737d-1da8-4626-a568-33070591bb4e","list_id":"keyword_list","tie_breaker_id":"2108ced2-5e5d-401e-a88e-4dd69fc5fa27","type":"keyword","updated_at":"2025-01-09T18:34:29.422Z","updated_by":"elastic","value":"zeek"}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"uri [/api/lists/items] with method [post] exists but is not available with the current configuration","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"listNotFound":{"value":{"message":"list id: \\\"ip_list\\\" does not exist","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"examples":{"alreadyExists":{"value":{"message":"list item id: \\\"ip_item\\\" already exists","status_code":409}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List item already exists response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.\n\u003e info\n\u003e You cannot modify the `id` value.\n","operationId":"UpdateListItem","requestBody":{"content":{"application/json":{"example":{"id":"ip_item","value":"255.255.255.255"},"schema":{"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListItemId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListItemMetadata"},"value":{"$ref":"#/components/schemas/Security_Lists_API_ListItemValue"}},"required":["id","value"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzIwLDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:44:14.009Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/items/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items/_export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nExport list item values from the specified value list.","operationId":"ExportListItems","parameters":[{"description":"Value list's `id` to export.","in":"query","name":"list_id","required":true,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}}],"responses":{"200":{"content":{"application/ndjson":{"schema":{"description":"A `.txt` file containing list items from the specified list","example":"127.0.0.1\n127.0.0.2\n127.0.0.3\n127.0.0.4\n127.0.0.5\n127.0.0.6\n127.0.0.7\n127.0.0.8\n127.0.0.9\n","format":"binary","type":"string"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request\",\"message\":\"[request query]: list_id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Export value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/items/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet all value list items in the specified list.","operationId":"FindListItems","parameters":[{"in":"query","name":"list_id","required":true,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"example":1,"type":"integer"}},{"description":"The number of list items to return per page.","in":"query","name":"per_page","required":false,"schema":{"example":20,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"value","format":"nonempty","minLength":1,"type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"asc","type":"string"}},{"in":"query","name":"cursor","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_FindListItemsCursor"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the \u003cfield name\u003e:\u003cfield value\u003e syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_FindListItemsFilter"}}],"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"cursor":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","data":[{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:59:06.154Z","created_at":"2025-01-08T04:59:06.154Z","created_by":"elastic","id":"21b01cfb-058d-44b9-838c-282be16c91cc","list_id":"ip_list","tie_breaker_id":"b57c762c-3036-465c-9bfb-7bfb5e6e515a","type":"ip","updated_at":"2025-01-08T04:59:06.154Z","updated_by":"elastic","value":"127.0.0.1"}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"cursor":{"$ref":"#/components/schemas/Security_Lists_API_FindListItemsCursor"},"data":{"items":{"$ref":"#/components/schemas/Security_Lists_API_ListItem"},"type":"array"},"page":{"minimum":0,"type":"integer"},"per_page":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total","cursor"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"error":"Bad Request,","message":"[request query]: list_id: Required","statusCode":"400,"}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/lists/items/_find?list_id=ip_list\u0026page=1\u0026per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/items/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/items/_import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nImport value list items from a TXT or CSV file. The maximum file size is 9 million bytes.\n\nYou can import items to a new or existing list.\n","operationId":"ImportListItems","parameters":[{"description":"List's id.\n\nRequired when importing to an existing list.\n","in":"query","name":"list_id","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListId"}},{"description":"Type of the importing list.\n\nRequired when importing a new list whose list `id` is not specified.\n","examples":{"ip":{"value":"ip"}},"in":"query","name":"type","required":false,"schema":{"$ref":"#/components/schemas/Security_Lists_API_ListType"}},{"description":"Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:\n\n- `(?\u003cvalue\u003e.+)` - Single value item types, such as ip, long, date, keyword, and text.\n- `(?\u003cgte\u003e.+)-(?\u003clte\u003e.+)|(?\u003cvalue\u003e.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`.\n","in":"query","name":"serializer","required":false,"schema":{"example":"(?\u003cvalue\u003e((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))","type":"string"}},{"description":"Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:\n\n- `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`.\n- `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`.\n- `{{{gte}}},{{{lte}}}` - Date range values.\n","in":"query","name":"deserializer","required":false,"schema":{"example":"{{value}}","type":"string"}},{"description":"Determines when changes made by the request are made visible to search.","in":"query","name":"refresh","required":false,"schema":{"enum":["true","false","wait_for"],"example":true,"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"description":"A `.txt` or `.csv` file containing newline separated list items.","example":"127.0.0.1\n127.0.0.2\n127.0.0.3\n127.0.0.4\n127.0.0.5\n127.0.0.6\n127.0.0.7\n127.0.0.8\n127.0.0.9\n","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"Simple list with an ip","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application/json":{"examples":{"badRequest":{"value":{"message":"Either type or list_id need to be defined in the query","status_code":400}}},"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"List with specified list_id does not exist response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Import value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/lists/privileges":{"get":{"operationId":"ReadListPrivileges","responses":{"200":{"content":{"application/json":{"examples":{"privileges":{"value":{"is_authenticated":true,"listItems":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"index":{".items-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"username":"elastic"},"lists":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"index":{".lists-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"username":"elastic"}}}},"schema":{"type":"object","properties":{"is_authenticated":{"type":"boolean"},"listItems":{"$ref":"#/components/schemas/Security_Lists_API_ListItemPrivileges"},"lists":{"$ref":"#/components/schemas/Security_Lists_API_ListPrivileges"}},"required":["lists","listItems","is_authenticated"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]","statusCode":401}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#/components/schemas/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list privileges","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/lists/privileges\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/logstash/pipeline/{id}":{"delete":{"description":"Delete a centrally-managed Logstash pipeline.\nIf your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role.\n","externalDocs":{"description":"Secure your connection","url":"https://www.elastic.co/docs/reference/logstash/secure-connection"},"operationId":"delete-logstash-pipeline","parameters":[{"description":"An identifier for the pipeline.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call"}},"summary":"Delete a Logstash pipeline","tags":["logstash"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"Get information for a centrally-managed Logstash pipeline.\nTo use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role.\n","externalDocs":{"description":"Secure your connection","url":"https://www.elastic.co/docs/reference/logstash/secure-connection"},"operationId":"get-logstash-pipeline","parameters":[{"description":"An identifier for the pipeline.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getLogstashPipelineResponseExample1":{"value":"{\n  \"id\": \"hello-world\",\n  \"description\": \"Just a simple pipeline\",\n  \"username\": \"elastic\",\n  \"pipeline\": \"input { stdin {} } output { stdout {} }\",\n  \"settings\": {\n    \"queue.type\": \"persistent\"\n  }\n}"}},"schema":{"type":"object"}}},"description":"Indicates a successful call"}},"summary":"Get a Logstash pipeline","tags":["logstash"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"Create a centrally-managed Logstash pipeline or update a pipeline.\nTo use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role.\n","externalDocs":{"description":"Secure your connection","url":"https://www.elastic.co/docs/reference/logstash/secure-connection"},"operationId":"put-logstash-pipeline","parameters":[{"description":"An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers.\n","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"putLogstashPipelineRequestExample1":{"value":"{\n  \"pipeline\": \"input { stdin {} } output { stdout {} }\",\n  \"settings\": {\n    \"queue.type\": \"persisted\"\n  }\n}"}},"schema":{"type":"object","properties":{"description":{"description":"A description of the pipeline.","type":"string"},"pipeline":{"description":"A definition for the pipeline.","type":"string"},"settings":{"description":"Supported settings, represented as object keys, include the following:\n\n- `pipeline.workers`\n- `pipeline.batch.size`\n- `pipeline.batch.delay`\n- `pipeline.ecs_compatibility`\n- `pipeline.ordered`\n- `queue.type`\n- `queue.max_bytes`\n- `queue.checkpoint.writes`\n","type":"object"}},"required":["pipeline"]}}}},"responses":{"204":{"description":"Indicates a successful call"}},"summary":"Create or update a Logstash pipeline","tags":["logstash"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/logstash/pipelines":{"get":{"description":"Get a list of all centrally-managed Logstash pipelines.\n\nTo use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role.\n\u003e info\n\u003e Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana.\n\nThe `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated.\n","externalDocs":{"description":"Secure your connection","url":"https://www.elastic.co/docs/reference/logstash/secure-connection"},"operationId":"get-logstash-pipelines","responses":{"200":{"content":{"application/json":{"examples":{"getLogstashPipelinesResponseExample1":{"value":"{\n  \"pipelines\": [\n    {\n      \"id\": \"hello-world\",\n      \"description\": \"Just a simple pipeline\",\n      \"last_modified\": \"2018-04-14T12:23:29.772Z\",\n      \"username\": \"elastic\" \n    },\n    {\n      \"id\": \"sleepy-pipeline\",\n      \"description\": \"\",\n      \"last_modified\": \"2018-03-24T03:41:30.554Z\"\n    }\n  ]\n}"}},"schema":{"type":"object"}}},"description":"Indicates a successful call"}},"summary":"Get all Logstash pipelines","tags":["logstash"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/maintenance_window":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"title":{"description":"The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.","type":"string"}},"required":["title","schedule"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Create a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/maintenance_window/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: read-maintenance-window.","operationId":"get-maintenance-window-find","parameters":[{"description":"The title of the maintenance window.","in":"query","name":"title","required":false,"schema":{"type":"string"}},{"description":"The user who created the maintenance window.","in":"query","name":"created_by","required":false,"schema":{"type":"string"}},{"description":"The status of the maintenance window. It can be \"running\", \"upcoming\", \"finished\", \"archived\", or \"disabled\".","in":"query","name":"status","required":false,"schema":{"anyOf":[{"enum":["running","finished","upcoming","archived","disabled"],"type":"string"},{"items":{"enum":["running","finished","upcoming","archived","disabled"],"type":"string"},"type":"array"}]}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"maximum":100,"minimum":1,"type":"number"}},{"description":"The number of maintenance windows to return per page.","in":"query","name":"per_page","required":false,"schema":{"default":10,"maximum":100,"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"maintenanceWindows":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]},"type":"array"},"page":{"type":"number"},"per_page":{"type":"number"},"total":{"type":"number"}},"required":["page","per_page","total","maintenanceWindows"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Search for a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/maintenance_window/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"delete-maintenance-window-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be deleted.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Delete a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: read-maintenance-window.","operationId":"get-maintenance-window-id","parameters":[{"description":"The identifier for the maintenance window.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Get maintenance window details.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"patch-maintenance-window-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"title":{"description":"The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.","type":"string"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."},"409":{"description":"Indicates that the maintenance window has already been updated by another user."}},"summary":"Update a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/maintenance_window/{id}/_archive":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/{id}/_archive\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window-id-archive","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be archived.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Archive a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/maintenance_window/{id}/_unarchive":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/maintenance_window/{id}/_unarchive\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window-id-unarchive","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be unarchived.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `\u003cinteger\u003e\u003cunit\u003e` format. `\u003cunit\u003e` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Unarchive a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/ml/saved_objects/sync":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/ml/saved_objects/sync\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSynchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.\n","operationId":"mlSync","parameters":[{"$ref":"#/components/parameters/Machine_learning_APIs_simulateParam"}],"responses":{"200":{"content":{"application/json":{"examples":{"syncExample":{"$ref":"#/components/examples/Machine_learning_APIs_mlSyncExample"}},"schema":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSync200Response"}}},"description":"Indicates a successful call"},"401":{"content":{"application/json":{"examples":{"syncExample":{"$ref":"#/components/examples/Machine_learning_APIs_mlSync401Example"}},"schema":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSync4xxResponse"}}},"description":"Authorization information is missing or invalid."}},"summary":"Sync saved objects in the default space","tags":["ml"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/ml/saved_objects/update_jobs_spaces":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/ml/saved_objects/update_jobs_spaces\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a list of jobs to add and/or remove them from given spaces.","operationId":"mlUpdateJobsSpaces","requestBody":{"content":{"application/json":{"examples":{"updateADJobSpacesRequest":{"value":{"jobIds":["test-job"],"jobType":"anomaly-detector","spacesToAdd":["default"],"spacesToRemove":["*"]}},"updateDFAJobSpacesRequest":{"value":{"jobIds":["test-job"],"jobType":"data-frame-analytics","spacesToAdd":["default"],"spacesToRemove":["*"]}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successADResponse":{"value":{"test-job":{"success":true,"type":"anomaly-detector"}}},"successDFAResponse":{"value":{"test-job":{"success":true,"type":"data-frame-analytics"}}}}}},"description":"Indicates a successful call"}},"summary":"Update jobs spaces","tags":["ml"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/ml/saved_objects/update_trained_models_spaces":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/ml/saved_objects/update_trained_models_spaces\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a list of trained models to add and/or remove them from given spaces.","operationId":"mlUpdateTrainedModelsSpaces","requestBody":{"content":{"application/json":{"examples":{"updateTrainedModelsSpacesRequest":{"value":{"modelIds":["test-model"],"spacesToAdd":["default"],"spacesToRemove":["*"]}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"successTMResponse":{"value":{"test-model":{"success":true,"type":"trained-model\""}}}}}},"description":"Indicates a successful call"}},"summary":"Update trained models spaces","tags":["ml"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/note":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/note\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a note from a Timeline using the note ID.","operationId":"DeleteNote","requestBody":{"content":{"application/json":{"schema":{"oneOf":[{"nullable":true,"type":"object","properties":{"noteId":{"type":"string"}},"required":["noteId"]},{"nullable":true,"type":"object","properties":{"noteIds":{"items":{"type":"string"},"nullable":true,"type":"array"}},"required":["noteIds"]}]}}},"description":"The ID of the note to delete.","required":true},"responses":{"200":{"description":"Indicates the note was successfully deleted."}},"summary":"Delete a note","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/note\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet all notes for a given document.","operationId":"GetNotes","parameters":[{"in":"query","name":"documentIds","schema":{"$ref":"#/components/schemas/Security_Timeline_API_DocumentIds"}},{"in":"query","name":"savedObjectIds","schema":{"$ref":"#/components/schemas/Security_Timeline_API_SavedObjectIds"}},{"in":"query","name":"page","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"perPage","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"search","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"sortField","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"sortOrder","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"filter","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"createdByFilter","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"associatedFilter","schema":{"$ref":"#/components/schemas/Security_Timeline_API_AssociatedFilterType"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_GetNotesResult"}}},"description":"Indicates the requested notes were returned."}},"summary":"Get notes","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/note\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAdd a note to a Timeline or update an existing note.","operationId":"PersistNoteRoute","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"note":{"$ref":"#/components/schemas/Security_Timeline_API_BareNote","description":"The note to add or update."},"noteId":{"description":"The `savedObjectId` of the note","example":"709f99c6-89b6-4953-9160-35945c8e174e","nullable":true,"type":"string"},"version":{"description":"The version of the note","example":"WzQ2LDFd","nullable":true,"type":"string"}},"required":["note"]}}},"description":"The note to add or update, along with additional metadata.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_ResponseNote"}}},"description":"Indicates the note was successfully created."}},"summary":"Add or update a note","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/observability_ai_assistant/chat/complete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/observability_ai_assistant/chat/complete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new chat completion by using the Observability AI Assistant. \n\nThe API returns the model's response based on the current conversation context. \n\nIt also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). \n\nThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","operationId":"observability-ai-assistant-chat-complete","requestBody":{"content":{"application/json":{"examples":{"chatCompleteRequestExample":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_ChatCompleteRequestExample"}},"schema":{"type":"object","properties":{"actions":{"items":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_Function"},"type":"array"},"connectorId":{"description":"A unique identifier for the connector.","type":"string"},"conversationId":{"description":"A unique identifier for the conversation if you are continuing an existing conversation.","type":"string"},"disableFunctions":{"description":"Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made.","type":"boolean"},"instructions":{"description":"An array of instruction objects, which can be either simple strings or detailed objects.","items":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_Instruction"},"type":"array"},"messages":{"description":"An array of message objects containing the conversation history.","items":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_Message"},"type":"array"},"persist":{"description":"Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana.","type":"boolean"},"title":{"description":"A title for the conversation.","type":"string"}},"required":["messages","connectorId","persist"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"chatCompleteResponseExample":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_ChatCompleteResponseExample"}},"schema":{"type":"object"}}},"description":"Successful response"}},"summary":"Generate a chat completion","tags":["observability_ai_assistant"],"x-codeSamples":[{"lang":"cURL","source":"curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u \u003cusername\u003e:\u003cpassword\u003e -H 'kbn-xsrf: true' -H \"Content-Type: application/json\" --data '\n{\n\"connectorId\": \"\u003cconnectorId\u003e\",\n\"disableFunctions\": false,\n  \"messages\": [\n    {\n      \"@timestamp\": \"2025-06-25T23:45:00.000Z\",\n      \"message\": {\n        \"role\": \"user\",\n        \"content\": \"Is my Elasticsearch cluster healthy right now?\"\n      }\n    }\n  ],\n\"persist\": false,\n\"actions\": [\n  {\n    \"name\": \"get_cluster_health\",\n    \"description\": \"Fetch the current Elasticsearch cluster-health status and key metrics.\",\n    \"parameters\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"includeShardStats\": {\n          \"type\": \"boolean\",\n          \"default\": false\n        }\n      }\n    }\n  }\n],\n\"instructions\": [\"When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English.\"]\n}'\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/live_queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/live_queries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all live queries.","operationId":"OsqueryFindLiveQueries","parameters":[{"in":"query","name":"kuery","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_KueryOrUndefined"}},{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageOrUndefined"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageSizeOrUndefined"}},{"in":"query","name":"sort","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrUndefined"}},{"in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindLiveQueryResponse"}}},"description":"OK"}},"summary":"Get live queries","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/live_queries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate and run a live query.","operationId":"OsqueryCreateLiveQuery","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse"}}},"description":"OK"}},"summary":"Create a live query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/live_queries/{id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/live_queries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a live query using the query ID.","operationId":"OsqueryGetLiveQueryDetails","parameters":[{"in":"path","name":"id","required":true,"schema":{"description":"The ID of the live query result you want to retrieve.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse"}}},"description":"OK"}},"summary":"Get live query details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/live_queries/{id}/results/{actionId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the results of a live query using the query action ID.","operationId":"OsqueryGetLiveQueryResults","parameters":[{"in":"path","name":"id","required":true,"schema":{"description":"The ID of the live query result you want to retrieve.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"}},{"in":"path","name":"actionId","required":true,"schema":{"description":"The ID of the query action that generated the live query results.","example":"609c4c66-ba3d-43fa-afdd-53e244577aa0","type":"string"}},{"in":"query","name":"kuery","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_KueryOrUndefined"}},{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageOrUndefined"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageSizeOrUndefined"}},{"in":"query","name":"sort","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrUndefined"}},{"in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse"}}},"description":"OK"}},"summary":"Get live query results","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/packs":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/packs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all query packs.","operationId":"OsqueryFindPacks","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageOrUndefined"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageSizeOrUndefined"}},{"in":"query","name":"sort","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrUndefined"}},{"in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindPacksResponse"}}},"description":"OK"}},"summary":"Get packs","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/packs\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a query pack.","operationId":"OsqueryCreatePacks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreatePacksRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreatePacksResponse"}}},"description":"OK"}},"summary":"Create a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/packs/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/packs/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a query pack using the pack ID.","operationId":"OsqueryDeletePacks","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PackId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"example":{},"type":"object","properties":{}}}},"description":"OK"}},"summary":"Delete a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/packs/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a query pack using the pack ID.","operationId":"OsqueryGetPacksDetails","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PackId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindPackResponse"}}},"description":"OK"}},"summary":"Get pack details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/packs/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a query pack using the pack ID.\n\u003e info\n\u003e You cannot update a prebuilt pack.\n","operationId":"OsqueryUpdatePacks","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PackId"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_UpdatePacksResponse"}}},"description":"OK"}},"summary":"Update a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/saved_queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/saved_queries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all saved queries.","operationId":"OsqueryFindSavedQueries","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageOrUndefined"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_PageSizeOrUndefined"}},{"in":"query","name":"sort","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrUndefined"}},{"in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindSavedQueryResponse"}}},"description":"OK"}},"summary":"Get saved queries","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/saved_queries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate and run a saved query.","operationId":"OsqueryCreateSavedQuery","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse"}}},"description":"OK"}},"summary":"Create a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/osquery/saved_queries/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/saved_queries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a saved query using the query ID.","operationId":"OsqueryDeleteSavedQuery","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_DefaultSuccessResponse"}}},"description":"OK"}},"summary":"Delete a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/saved_queries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of a saved query using the query ID.","operationId":"OsqueryGetSavedQueryDetails","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse"}}},"description":"OK"}},"summary":"Get saved query details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/osquery/saved_queries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a saved query using the query ID.\n\u003e info\n\u003e You cannot update a prebuilt saved query.\n","operationId":"OsqueryUpdateSavedQuery","parameters":[{"in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse"}}},"description":"OK"}},"summary":"Update a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/pinned_event":{"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/pinned_event\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nPin/unpin an event to/from an existing Timeline.","operationId":"PersistPinnedEventRoute","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"eventId":{"description":"The `_id` of the associated event for this pinned event.","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","type":"string"},"pinnedEventId":{"description":"The `savedObjectId` of the pinned event you want to unpin.","example":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","nullable":true,"type":"string"},"timelineId":{"description":"The `savedObjectId` of the timeline that you want this pinned event unpinned from.","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["eventId","timelineId"]}}},"description":"The pinned event to add or unpin, along with additional metadata.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse"}}},"description":"Indicates the event was successfully pinned to or unpinned from the Timeline."}},"summary":"Pin/unpin an event","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/risk_score/engine/dangerously_delete_data":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/risk_score/engine/dangerously_delete_data\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCleaning up the the Risk Engine by removing the indices, mapping and transforms","operationId":"CleanUpRiskEngine","responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"cleanup_successful":{"type":"boolean"}}}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse"}}},"description":"Unexpected error"}},"summary":"Cleanup the Risk Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/risk_score/engine/saved_object/configure":{"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/risk_score/engine/saved_object/configure\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nConfiguring the Risk Engine Saved Object","operationId":"ConfigureRiskEngineSavedObject","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"enable_reset_to_zero":{"type":"boolean"},"exclude_alert_statuses":{"items":{"type":"string"},"type":"array"},"exclude_alert_tags":{"items":{"type":"string"},"type":"array"},"filters":{"items":{"type":"object","properties":{"entity_types":{"items":{"enum":["host","user","service"],"type":"string"},"type":"array"},"filter":{"description":"KQL filter string","type":"string"}},"required":["entity_types","filter"]},"type":"array"},"range":{"type":"object","properties":{"end":{"type":"string"},"start":{"type":"string"}}}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"risk_engine_saved_object_configured":{"type":"boolean"}}}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse"}}},"description":"Unexpected error"}},"summary":"Configure the Risk Engine Saved Object","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/risk_score/engine/schedule_now":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/risk_score/engine/schedule_now\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nSchedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.","operationId":"ScheduleRiskEngineNow","requestBody":{"content":{"application/json":{}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse"}}},"description":"Unexpected error"}},"summary":"Run the risk scoring engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_bulk_create":{"post":{"deprecated":true,"operationId":"bulkCreateSavedObjects","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"description":"When true, overwrites the document with the same identifier.","in":"query","name":"overwrite","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"items":{"type":"object"},"type":"array"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Create saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_bulk_create\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/saved_objects/_bulk_delete":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_bulk_delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nWARNING: When you delete a saved object, it cannot be recovered.\n","operationId":"bulkDeleteSavedObjects","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"description":"When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: \"Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway\". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation.\n","in":"query","name":"force","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"items":{"type":"object"},"type":"array"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.\n"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Delete saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_bulk_get":{"post":{"deprecated":true,"operationId":"bulkGetSavedObjects","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"schema":{"items":{"type":"object"},"type":"array"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Get saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_bulk_get\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/saved_objects/_bulk_resolve":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_bulk_resolve\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID.\n","operationId":"bulkResolveSavedObjects","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"schema":{"items":{"type":"object"},"type":"array"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded.  Errors pertaining to individual objects will be returned in the response body. \n"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Resolve saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_bulk_update":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_bulk_update\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate the attributes for multiple Kibana saved objects.","operationId":"bulkUpdateSavedObjects","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"}],"requestBody":{"content":{"application/json":{"schema":{"items":{"type":"object"},"type":"array"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. \n"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Update saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss.\n\nExported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.\n\nNOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported.","operationId":"post-saved-objects-export","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"exportSavedObjectsRequest":{"summary":"Export a specific saved object.","value":{"excludeExportDetails":true,"includeReferencesDeep":false,"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"excludeExportDetails":{"default":false,"description":"Do not add export details entry at the end of the stream.","type":"boolean"},"hasReference":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"type":"array"}]},"includeReferencesDeep":{"default":false,"description":"Includes all of the referenced objects in the exported objects.","type":"boolean"},"objects":{"description":"A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option","items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"maxItems":10000,"type":"array"},"search":{"description":"Search for documents to export using the Elasticsearch Simple Query String syntax.","type":"string"},"type":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}],"description":"The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`."}}}}}},"responses":{"200":{"content":{"application/x-ndjson":{"examples":{"exportSavedObjectsResponse":{"summary":"The export objects API response contains a JSON record for each exported object.","value":{"attributes":{"description":"","layerListJSON":"[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]","mapStateJSON":"{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}","title":"[Logs] Total Requests and Bytes","uiStateJSON":"{\"isDarkMode\":false}"},"coreMigrationVersion":"8.8.0","created_at":"2023-08-23T20:03:32.204Z","id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","managed":false,"references":[{"id":"90943e30-9a47-11e8-b64d-95841ca0b247","name":"layer_1_join_0_index_pattern","type":"index-pattern"},{"id":"90943e30-9a47-11e8-b64d-95841ca0b247","name":"layer_2_source_index_pattern","type":"index-pattern"},{"id":"90943e30-9a47-11e8-b64d-95841ca0b247","name":"layer_3_source_index_pattern","type":"index-pattern"}],"type":"map","typeMigrationVersion":"8.4.0","updated_at":"2023-08-23T20:03:32.204Z","version":"WzEzLDFd"}}},"schema":{}}},"description":"Indicates a successfull call."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Indicates an unsuccessful response.","type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"enum":[400],"type":"integer"}},"required":["error","message","statusCode"]}}},"description":"Bad request."}},"summary":"Export saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_find":{"get":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a paginated set of Kibana saved objects.","operationId":"findSavedObjects","parameters":[{"description":"An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: \"myTitle\"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.\n","in":"query","name":"aggs","schema":{"type":"string"}},{"description":"The default operator to use for the `simple_query_string`.","in":"query","name":"default_search_operator","schema":{"type":"string"}},{"description":"The fields to return in the attributes key of the response.","in":"query","name":"fields","schema":{"oneOf":[{"type":"string"},{"type":"array"}]}},{"description":"The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: \"myTitle\"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at \u003e 2018-12-22`.\n","in":"query","name":"filter","schema":{"type":"string"}},{"description":"Filters to objects that do not have a relationship with the type and identifier combination.","in":"query","name":"has_no_reference","schema":{"type":"object"}},{"description":"The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`.","in":"query","name":"has_no_reference_operator","schema":{"type":"string"}},{"description":"Filters to objects that have a relationship with the type and ID combination.","in":"query","name":"has_reference","schema":{"type":"object"}},{"description":"The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`.","in":"query","name":"has_reference_operator","schema":{"type":"string"}},{"description":"The page of objects to return.","in":"query","name":"page","schema":{"type":"integer"}},{"description":"The number of objects to return per page.","in":"query","name":"per_page","schema":{"type":"integer"}},{"description":"An Elasticsearch `simple_query_string` query that filters the objects in the response.","in":"query","name":"search","schema":{"type":"string"}},{"description":"The fields to perform the `simple_query_string` parsed query against.","in":"query","name":"search_fields","schema":{"oneOf":[{"type":"string"},{"type":"array"}]}},{"description":"Sorts the response. Includes \"root\" and \"type\" fields. \"root\" fields exist for all saved objects, such as \"updated_at\". \"type\" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the \"root\" and \"type\" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only \"root\" fields are allowed.\n","in":"query","name":"sort_field","schema":{"type":"string"}},{"description":"The saved object types to include.","in":"query","name":"type","required":true,"schema":{"oneOf":[{"type":"string"},{"type":"array"}]}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request"}},"summary":"Search for saved objects","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss.\n\nExported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.","operationId":"post-saved-objects-import","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.","in":"query","name":"overwrite","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.","in":"query","name":"createNewCopies","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.","in":"query","name":"compatibilityMode","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"multipart/form-data":{"examples":{"importObjectsRequest":{"value":{"file":"file.ndjson"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"file":{"description":"A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.","type":"object"}},"required":["file"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"importObjectsResponse":{"summary":"The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute.","value":{"success":true,"successCount":1,"successResults":[{"destinationId":"82d2760c-468f-49cf-83aa-b9a35b6a8943","id":"90943e30-9a47-11e8-b64d-95841ca0b247","managed":false,"meta":{"icon":"indexPatternApp","title":"Kibana Sample Data Logs"},"type":"index-pattern"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"errors":{"description":"Indicates the import was unsuccessful and specifies the objects that failed to import.\n\nNOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error.","items":{"additionalProperties":true,"type":"object","properties":{}},"type":"array"},"success":{"description":"Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties.","type":"boolean"},"successCount":{"description":"Indicates the number of successfully imported records.","type":"number"},"successResults":{"description":"Indicates the objects that are successfully imported, with any metadata if applicable.\n\nNOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute.","items":{"additionalProperties":true,"type":"object","properties":{}},"type":"array"}},"required":["success","successCount","errors","successResults"]}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"additionalProperties":false,"description":"Indicates an unsuccessful response.","type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"enum":[400],"type":"integer"}},"required":["error","message","statusCode"]}}},"description":"Bad request."}},"summary":"Import saved objects","tags":["saved objects"],"x-codeSamples":[{"label":"Import with createNewCopies","lang":"cURL","source":"curl \\\n  -X POST api/saved_objects/_import?createNewCopies=true\n  -H \"kbn-xsrf: true\"\n  --form file=@file.ndjson\n"}],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/_resolve_import_errors":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/_resolve_import_errors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nTo resolve errors from the Import objects API, you can:\n\n* Retry certain saved objects\n* Overwrite specific saved objects\n* Change references to different saved objects\n","operationId":"resolveImportErrors","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"description":"Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option.\n","in":"query","name":"compatibilityMode","required":false,"schema":{"type":"boolean"}},{"description":"Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors.\n","in":"query","name":"createNewCopies","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"multipart/form-data":{"examples":{"resolveImportErrorsRequest":{"$ref":"#/components/examples/Saved_objects_resolve_missing_reference_request"}},"schema":{"type":"object","properties":{"file":{"description":"The same file given to the import API.","format":"binary","type":"string"},"retries":{"description":"The retry operations, which can specify how to resolve different types of errors.","items":{"type":"object","properties":{"destinationId":{"description":"Specifies the destination ID that the imported object should have, if different from the current ID.","type":"string"},"id":{"description":"The saved object ID.","type":"string"},"ignoreMissingReferences":{"description":"When set to `true`, ignores missing reference errors. When set to `false`, does nothing.","type":"boolean"},"overwrite":{"description":"When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing.","type":"boolean"},"replaceReferences":{"description":"A list of `type`, `from`, and `to` used to change the object references.","items":{"type":"object","properties":{"from":{"type":"string"},"to":{"type":"string"},"type":{"type":"string"}}},"type":"array"},"type":{"description":"The saved object type.","type":"string"}},"required":["type","id"]},"type":"array"}},"required":["retries"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"resolveImportErrorsResponse":{"$ref":"#/components/examples/Saved_objects_resolve_missing_reference_response"}},"schema":{"type":"object","properties":{"errors":{"description":"Specifies the objects that failed to resolve.\n\nNOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error.\n","items":{"type":"object"},"type":"array"},"success":{"description":"Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties.\n","type":"boolean"},"successCount":{"description":"Indicates the number of successfully resolved records.\n","type":"number"},"successResults":{"description":"Indicates the objects that are successfully imported, with any metadata if applicable.\n\nNOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references.\n","items":{"type":"object"},"type":"array"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request."}},"summary":"Resolve import errors","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/{type}":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/{type}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a Kibana saved object with a randomly generated identifier.","operationId":"createSavedObject","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"$ref":"#/components/parameters/Saved_objects_saved_object_type"},{"description":"If true, overwrites the document with the same identifier.","in":"query","name":"overwrite","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"attributes":{"$ref":"#/components/schemas/Saved_objects_attributes"},"initialNamespaces":{"$ref":"#/components/schemas/Saved_objects_initial_namespaces"},"references":{"$ref":"#/components/schemas/Saved_objects_references"}},"required":["attributes"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"409":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a conflict error."}},"summary":"Create a saved object","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/{type}/{id}":{"get":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/{type}/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a single Kibana saved object by identifier.","operationId":"getSavedObject","parameters":[{"$ref":"#/components/parameters/Saved_objects_saved_object_id"},{"$ref":"#/components/parameters/Saved_objects_saved_object_type"}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request."}},"summary":"Get a saved object","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/{type}/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a Kibana saved object and specify its identifier instead of using a randomly generated ID.","operationId":"createSavedObjectId","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"$ref":"#/components/parameters/Saved_objects_saved_object_id"},{"$ref":"#/components/parameters/Saved_objects_saved_object_type"},{"description":"If true, overwrites the document with the same identifier.","in":"query","name":"overwrite","schema":{"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"attributes":{"$ref":"#/components/schemas/Saved_objects_attributes"},"initialNamespaces":{"$ref":"#/components/schemas/Saved_objects_initial_namespaces"},"references":{"$ref":"#/components/schemas/Saved_objects_initial_namespaces"}},"required":["attributes"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"409":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a conflict error."}},"summary":"Create a saved object","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/{type}/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate the attributes for Kibana saved objects.","operationId":"updateSavedObject","parameters":[{"$ref":"#/components/parameters/Saved_objects_kbn_xsrf"},{"$ref":"#/components/parameters/Saved_objects_saved_object_id"},{"$ref":"#/components/parameters/Saved_objects_saved_object_type"}],"requestBody":{"content":{"application/json":{"schema":{"type":"object"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"404":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates the object was not found."},"409":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a conflict error."}},"summary":"Update a saved object","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/saved_objects/resolve/{type}/{id}":{"get":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/saved_objects/resolve/{type}/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID.\n","operationId":"resolveSavedObject","parameters":[{"$ref":"#/components/parameters/Saved_objects_saved_object_id"},{"$ref":"#/components/parameters/Saved_objects_saved_object_type"}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Saved_objects_400_response"}}},"description":"Bad request."}},"summary":"Resolve a saved object","tags":["saved objects"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/anonymization_fields/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nApply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.","operationId":"PerformAnonymizationFieldsBulkAction","requestBody":{"content":{"application/json":{"schema":{"example":{"create":[{"allowed":true,"anonymized":false,"field":"host.name"},{"allowed":false,"anonymized":true,"field":"user.name"}],"delete":{"ids":["field5","field6"],"query":"field: host.name"},"update":[{"allowed":true,"anonymized":false,"id":"field8"},{"allowed":false,"anonymized":true,"id":"field9"}]},"type":"object","properties":{"create":{"description":"Array of anonymization fields to create.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps"},"type":"array"},"delete":{"description":"Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete.","type":"object","properties":{"ids":{"description":"Array of IDs to apply the action to.","example":["1234","5678"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter the bulk action.","example":"status: 'inactive'","type":"string"}}},"update":{"description":"Array of anonymization fields to update.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"example":{"anonymization_fields_count":5,"attributes":{"results":{"created":[{"allowed":false,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"host.name","id":"field2","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"deleted":["field3"],"skipped":[{"id":"field4","name":"user.name","skip_reason":"ANONYMIZATION_FIELD_NOT_MODIFIED"}],"updated":[{"allowed":true,"anonymized":false,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"url.domain","id":"field8","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}]},"summary":{"failed":1,"skipped":1,"succeeded":2,"total":5}},"message":"Bulk action completed successfully","status_code":200,"success":true},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request body","statusCode":400},"schema":{"type":"object","properties":{"error":{"description":"Error type or name.","type":"string"},"message":{"description":"Detailed error message.","type":"string"},"statusCode":{"description":"Status code of the response.","type":"number"}}}}},"description":"Generic Error"}},"summary":"Apply a bulk action to anonymization fields","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/anonymization_fields/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/anonymization_fields/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all anonymization fields.","operationId":"FindAnonymizationFields","parameters":[{"description":"Fields to return","example":["id","field","anonymized","allowed"],"in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Search query","example":"field: \"user.name\"","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"description":"Field to sort by","example":"created_at","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField"}},{"description":"Sort order","example":"asc","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_SortOrder"}},{"description":"Page number","example":1,"in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"AnonymizationFields per page","example":20,"in":"query","name":"per_page","required":false,"schema":{"default":20,"minimum":0,"type":"integer"}},{"description":"If true, additionally fetch all anonymization fields, otherwise fetch only the provided page","in":"query","name":"all_data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"example":{"aggregations":{"anonymized":{"buckets":{"allowed":{"doc_count":1},"anonymized":{"doc_count":1},"denied":{"doc_count":1}}}},"all":[{"allowed":true,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"user.name","id":"1","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"data":[{"allowed":true,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"user.name","id":"1","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"page":1,"perPage":20,"total":100},"schema":{"type":"object","properties":{"aggregations":{"type":"object","properties":{"field_status":{"type":"object","properties":{"buckets":{"type":"object","properties":{"allowed":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}},"anonymized":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}},"denied":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}}}}}}}},"all":{"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"data":{"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"page":{"type":"integer"},"perPage":{"type":"integer"},"total":{"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response"},"400":{"content":{"application/json":{"example":{"error":"Bad Request","message":"Invalid request parameters","statusCode":400},"schema":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Generic Error"}},"summary":"Get anonymization fields","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/chat/complete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/chat/complete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a model response for the given chat conversation.","operationId":"ChatComplete","parameters":[{"description":"If true, the response will not include content references.","example":false,"in":"query","name":"content_references_disabled","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/json":{"example":{"connectorId":"conn-001","conversationId":"abc123","isStream":true,"langSmithApiKey":"sk-abc123","langSmithProject":"security_ai_project","messages":[{"content":"What are some common phishing techniques?","data":{"user_id":"user_789"},"fields_to_anonymize":["user.name","source.ip"],"role":"user"}],"model":"gpt-4","persist":true,"promptId":"prompt_456","responseLanguage":"en"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps"}}},"required":true},"responses":{"200":{"content":{"application/octet-stream":{"schema":{"format":"binary","type":"string"}}},"description":"Indicates a successful model response call."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Error type.","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message.","example":"Invalid request payload.","type":"string"},"statusCode":{"description":"HTTP status code.","example":400,"type":"number"}}}}},"description":"Generic Error"}},"summary":"Create a model response","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/current_user/conversations":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nThis endpoint allows users to permanently delete all conversations.","operationId":"DeleteAllConversations","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"excludedIds":{"description":"Optional list of conversation IDs to delete.","example":["abc123","def456"],"items":{"type":"string"},"type":"array"}}}}},"required":false},"responses":{"200":{"content":{"application/json":{"example":{"success":true},"schema":{"type":"object","properties":{"failures":{"items":{"type":"string"},"type":"array"},"success":{"example":true,"type":"boolean"},"totalDeleted":{"example":10,"type":"number"}}}}},"description":"Indicates a successful call. The conversations were deleted successfully."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. This response indicates an issue with the request."}},"summary":"Delete conversations","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters.","operationId":"CreateConversation","requestBody":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","excludeFromLastConversationStorage":false,"messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"replacements":{},"title":"Security Discussion"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps"}}},"required":true},"responses":{"200":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"replacements":{},"title":"Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was created successfully."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Missing required parameter: title","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data."}},"summary":"Create a conversation","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/current_user/conversations/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations.","operationId":"FindConversations","parameters":[{"description":"A list of fields to include in the response. If omitted, all fields are returned.","in":"query","name":"fields","required":false,"schema":{"example":["id","title","createdAt"],"items":{"type":"string"},"type":"array"}},{"description":"A search query to filter the conversations. Can match against titles, messages, or other conversation attributes.","in":"query","name":"filter","required":false,"schema":{"example":"Security Issue","type":"string"}},{"description":"The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField","example":"created_at"}},{"description":"The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_SortOrder","example":"desc"}},{"description":"The page number of the results to retrieve. Default is 1.","in":"query","name":"page","required":false,"schema":{"default":1,"example":1,"minimum":1,"type":"integer"}},{"description":"The number of conversations to return per page. Default is 20.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":20,"minimum":0,"type":"integer"}},{"description":"Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned.","in":"query","name":"is_owner","required":false,"schema":{"default":false,"example":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"description":"A list of conversations.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationResponse"},"type":"array"},"page":{"description":"The current page of the results.","example":1,"type":"integer"},"perPage":{"description":"The number of results returned per page.","example":20,"type":"integer"},"total":{"description":"The total number of conversations matching the filter criteria.","example":100,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response, returns a paginated list of conversations matching the specified criteria."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid filter query parameter","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. The request could not be processed due to an invalid query parameter or other issue."}},"summary":"Get conversations","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/current_user/conversations/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation.","operationId":"DeleteConversation","parameters":[{"description":"The conversation's `id` value.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"The conversation has been deleted.","role":"system","timestamp":"2023-10-31T12:35:00Z"}],"replacements":{},"title":"Deleted Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was deleted successfully."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. This response indicates an issue with the request."}},"summary":"Delete a conversation","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID.","operationId":"ReadConversation","parameters":[{"description":"The conversation's `id` value, a unique identifier for the conversation.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"replacements":{},"title":"Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation details are returned."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. The request could not be processed due to an error."}},"summary":"Get a conversation","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation.","operationId":"UpdateConversation","parameters":[{"description":"The conversation's `id` value.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"requestBody":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"09876","connectorId":"54321"},"category":"insights","excludeFromLastConversationStorage":true,"messages":[{"content":"The issue was resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"replacements":{},"title":"Updated Security Discussion"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps"}}},"required":true},"responses":{"200":{"content":{"application/json":{"example":{"apiConfig":{"actionTypeId":"09876","connectorId":"54321"},"category":"insights","createdAt":"2023-10-31T12:01:00Z","excludeFromLastConversationStorage":true,"id":"abc123","messages":[{"content":"The issue was resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"replacements":{},"title":"Updated Security Discussion","updatedAt":"2023-10-31T12:31:00Z","users":[{"id":"user1","name":"John Doe"}]},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was updated successfully."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Missing required field: title","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data."}},"summary":"Update a conversation","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/knowledge_base":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRead a single KB","operationId":"GetKnowledgeBase","responses":{"200":{"content":{"application/json":{"examples":{"KnowledgeBaseReadResponse200Example2":{"summary":"A response that returns information about the knowledge base.","value":{"defend_insights_exists":true,"elser_exists":false,"is_setup_available":true,"is_setup_in_progress":true,"product_documentation_status":"installed","security_labs_exists":false,"user_data_exists":true}}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Generic Error"}},"summary":"Read a KnowledgeBase","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"operationId":"PostKnowledgeBase","parameters":[{"description":"ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.","example":"elser-model-001","in":"query","name":"modelId","required":false,"schema":{"type":"string"}},{"description":"Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.","example":true,"in":"query","name":"ignoreSecurityLabs","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"KnowledgeBaseResponse200Example2":{"summary":"A response that indicates that the request was successful.","value":{"success":true}}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"examples":{"KnowledgeBaseResponse400Example2":{"summary":"A response for a request that failed due to an invalid query parameter value.","value":"statusCode: 400 error: Bad Request message: \"[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string\"\n"}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Generic Error"}},"summary":"Create a KnowledgeBase","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/security_ai_assistant/knowledge_base/{resource}":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRead a knowledge base with a specific resource identifier.","operationId":"ReadKnowledgeBase","parameters":[{"description":"The KnowledgeBase `resource` value.","example":"kb12345","in":"path","name":"resource","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"KnowledgeBaseReadResponse200Example1":{"summary":"A response that returns information about the knowledge base.","value":{"defend_insights_exists":true,"elser_exists":false,"is_setup_available":true,"is_setup_in_progress":true,"product_documentation_status":"installed","security_labs_exists":false,"user_data_exists":true}}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Generic Error"}},"summary":"Read a KnowledgeBase for a resource","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a knowledge base with a specific resource identifier.","operationId":"CreateKnowledgeBase","parameters":[{"description":"The KnowledgeBase `resource` value.","example":"kb12345","in":"path","name":"resource","required":true,"schema":{"type":"string"}},{"description":"ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.","example":"elser-model-001","in":"query","name":"modelId","required":false,"schema":{"type":"string"}},{"description":"Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.","example":true,"in":"query","name":"ignoreSecurityLabs","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"examples":{"KnowledgeBaseResponse200Example1":{"summary":"A response that indicates that the request was successful.","value":{"success":true}}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application/json":{"examples":{"KnowledgeBaseResponse400Example1":{"summary":"A response for a request that failed due to an invalid query parameter value.","value":"statusCode: 400 error: Bad Request message: \"[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string\"\n"}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Generic Error"}},"summary":"Create a KnowledgeBase for a resource","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/knowledge_base/entries":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a Knowledge Base Entry","operationId":"CreateKnowledgeBaseEntry","requestBody":{"content":{"application/json":{"example":{"content":"To reset your password, go to the settings page and click 'Reset Password'.","tags":["password","reset","help"],"title":"How to reset a password"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps"}}},"required":true},"responses":{"200":{"content":{"application/json":{"example":{"content":"To reset your password, go to the settings page and click 'Reset Password'.","id":"12345","tags":["password","reset","help"],"title":"How to reset a password"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning Knowledge Base Entries"},"400":{"content":{"application/json":{"example":{"error":"Invalid input","message":"The 'title' field is required."},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"A generic error occurred, such as invalid input or missing required fields."}},"summary":"Create a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/knowledge_base/entries/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nThe bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs.","operationId":"PerformKnowledgeBaseEntryBulkAction","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"create":{"description":"List of Knowledge Base Entries to create.","example":[{"content":"This is the content of the new entry.","title":"New Entry"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps"},"type":"array"},"delete":{"type":"object","properties":{"ids":{"description":"Array of Knowledge Base Entry IDs.","example":["123","456","789"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter Knowledge Base Entries.","example":"status:active AND category:technology","type":"string"}}},"update":{"description":"List of Knowledge Base Entries to update.","example":[{"content":"Updated content.","id":"123","title":"Updated Entry"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse"}}},"description":"Successful bulk operation request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Generic Error"}},"summary":"Applies a bulk action to multiple Knowledge Base Entries","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/knowledge_base/entries/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFinds Knowledge Base Entries that match the given query.","operationId":"FindKnowledgeBaseEntries","parameters":[{"description":"A list of fields to include in the response. If not provided, all fields will be included.","in":"query","name":"fields","required":false,"schema":{"example":["title","created_at"],"items":{"type":"string"},"type":"array"}},{"description":"Search query to filter Knowledge Base Entries by specific criteria.","in":"query","name":"filter","required":false,"schema":{"example":"error handling","type":"string"}},{"description":"Field to sort the Knowledge Base Entries by.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField","example":"created_at"}},{"description":"Sort order for the results, either asc or desc.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_SortOrder","example":"asc"}},{"description":"Page number for paginated results. Defaults to 1.","in":"query","name":"page","required":false,"schema":{"default":1,"example":2,"minimum":1,"type":"integer"}},{"description":"Number of Knowledge Base Entries to return per page. Defaults to 20.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":10,"minimum":0,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"data":{"description":"The list of Knowledge Base Entries for the current page.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"},"page":{"description":"The current page number.","example":1,"type":"integer"},"perPage":{"description":"The number of Knowledge Base Entries returned per page.","example":20,"type":"integer"},"total":{"description":"The total number of Knowledge Base Entries available.","example":100,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response containing the paginated Knowledge Base Entries."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"A short description of the error.","example":"Bad Request","type":"string"},"message":{"description":"A detailed message explaining the error.","example":"Invalid query parameter: sort_order","type":"string"},"statusCode":{"description":"The HTTP status code of the error.","example":400,"type":"number"}}}}},"description":"Generic Error indicating an issue with the request."}},"summary":"Finds Knowledge Base Entries that match the given query.","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/knowledge_base/entries/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a Knowledge Base Entry by its unique `id`.","operationId":"DeleteKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to delete.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"id":"12345","message":"Knowledge Base Entry successfully deleted."},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields"}}},"description":"Successful request returning the `id` of the deleted Knowledge Base Entry."},"400":{"content":{"application/json":{"example":{"error":"Not Found","message":"No Knowledge Base Entry found with the provided `id`."},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"A generic error occurred, such as an invalid `id` or the entry not being found."}},"summary":"Deletes a single Knowledge Base Entry using the `id` field","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve a Knowledge Base Entry by its unique `id`.","operationId":"ReadKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to retrieve.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application/json":{"example":{"content":"To reset your password, go to the settings page and click 'Reset Password'.","id":"12345","tags":["password","reset","help"],"title":"How to reset a password"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning the requested Knowledge Base Entry."},"400":{"content":{"application/json":{"example":{"error":"Not Found","message":"No Knowledge Base Entry found with the provided `id`."},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"A generic error occurred, such as an invalid `id` or the entry not being found."}},"summary":"Read a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing Knowledge Base Entry by its unique `id`.","operationId":"UpdateKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to update.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}}],"requestBody":{"content":{"application/json":{"example":{"content":"To reset your password, go to the settings page, click 'Reset Password', and follow the instructions.","tags":["password","reset","help","update"],"title":"How to reset a password (updated)"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps"}}},"required":true},"responses":{"200":{"content":{"application/json":{"example":{"content":"To reset your password, go to the settings page, click 'Reset Password', and follow the instructions.","id":"12345","tags":["password","reset","help","update"],"title":"How to reset a password (updated)"},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning the updated Knowledge Base Entry."},"400":{"content":{"application/json":{"example":{"error":"Invalid input","message":"The 'content' field cannot be empty."},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"A generic error occurred, such as invalid input or the entry not being found."}},"summary":"Update a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/prompts/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/prompts/_bulk_action\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nApply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations.","operationId":"PerformPromptsBulkAction","requestBody":{"content":{"application/json":{"example":{"create":[{"content":"Please verify the security settings.","name":"New Security Prompt","promptType":"system"}],"delete":{"ids":["prompt1","prompt2"]},"update":[{"content":"Updated content for security prompt.","id":"prompt123"}]},"schema":{"type":"object","properties":{"create":{"description":"List of prompts to be created.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptCreateProps"},"type":"array"},"delete":{"description":"Criteria for deleting prompts in bulk.","type":"object","properties":{"ids":{"description":"Array of IDs to apply the action to.","example":["1234","5678"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter the bulk action.","example":"status: 'inactive'","type":"string"}}},"update":{"description":"List of prompts to be updated.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"success":{"value":{"attributes":{"errors":[],"results":{"created":[{"content":"Please verify the security settings.","id":"prompt6","name":"New Security Prompt","promptType":"system"}],"deleted":["prompt2","prompt3"],"skipped":[{"id":"prompt4","name":"Security Prompt","skip_reason":"PROMPT_FIELD_NOT_MODIFIED"}],"updated":[{"content":"Updated security settings prompt","id":"prompt1","name":"Security Prompt","promptType":"system"}]},"summary":{"failed":0,"skipped":1,"succeeded":4,"total":5}},"message":"Bulk action completed successfully.","prompts_count":5,"status_code":200,"success":true}}},"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse"}}},"description":"Indicates a successful call with the results of the bulk action."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"A short error message.","example":"Bad Request","type":"string"},"message":{"description":"A detailed error message.","example":"Invalid prompt ID or missing required fields.","type":"string"},"statusCode":{"description":"The HTTP status code for the error.","example":400,"type":"number"}}}}},"description":"Indicates a generic error due to a bad request."}},"summary":"Apply a bulk action to prompts","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security_ai_assistant/prompts/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/security_ai_assistant/prompts/_find\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all prompts based on optional filters, sorting, and pagination.","operationId":"FindPrompts","parameters":[{"description":"List of specific fields to include in each returned prompt.","in":"query","name":"fields","required":false,"schema":{"example":["id","name","content"],"items":{"type":"string"},"type":"array"}},{"description":"Search query string to filter prompts by matching fields.","in":"query","name":"filter","required":false,"schema":{"example":"error handling","type":"string"}},{"description":"Field to sort prompts by.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField"}},{"description":"Sort order, either asc or desc.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_SortOrder"}},{"description":"Page number for pagination.","in":"query","name":"page","required":false,"schema":{"default":1,"example":1,"minimum":1,"type":"integer"}},{"description":"Number of prompts per page.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":20,"minimum":0,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"example":{"data":[{"categories":["troubleshooting","logging"],"color":"#FF5733","consumer":"security","content":"If you encounter an error, check the logs and retry.","createdAt":"2025-04-20T21:00:00Z","createdBy":"jdoe","id":"prompt-123","isDefault":true,"isNewConversationDefault":false,"name":"Error Troubleshooting Prompt","namespace":"default","promptType":"standard","timestamp":"2025-04-30T22:30:00Z","updatedAt":"2025-04-30T22:45:00Z","updatedBy":"jdoe","users":[{"full_name":"John Doe","username":"jdoe"}]}],"page":1,"perPage":20,"total":142},"type":"object","properties":{"data":{"description":"The list of prompts returned based on the search query, sorting, and pagination.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptResponse"},"type":"array"},"page":{"description":"Current page number.","example":1,"type":"integer"},"perPage":{"description":"Number of prompts per page.","example":20,"type":"integer"},"total":{"description":"Total number of prompts matching the query.","example":142,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response containing a list of prompts."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"Short error message.","example":"Bad Request","type":"string"},"message":{"description":"Detailed description of the error.","example":"Invalid sort order value provided.","type":"string"},"statusCode":{"description":"HTTP status code for the error.","example":400,"type":"number"}}}}},"description":"Bad request due to invalid parameters or malformed query."}},"summary":"Get prompts","tags":["Security AI Assistant API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security/role":{"get":{"operationId":"get-security-role","parameters":[{"description":"If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.","in":"query","name":"replaceDeprecatedPrivileges","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application/json":{"examples":{"getRolesResponse1":{"$ref":"#/components/examples/get_roles_response1"}}}}}},"summary":"Get all roles","tags":["roles"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security/role/_query":{"post":{"operationId":"post-security-role-query","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"filters":{"additionalProperties":false,"type":"object","properties":{"showReservedRoles":{"type":"boolean"}}},"from":{"type":"number"},"query":{"type":"string"},"size":{"type":"number"},"sort":{"additionalProperties":false,"type":"object","properties":{"direction":{"enum":["asc","desc"],"type":"string"},"field":{"type":"string"}},"required":["field","direction"]}}}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Query roles","tags":[],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security/role/{name}":{"delete":{"operationId":"delete-security-role-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"minLength":1,"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."}},"summary":"Delete a role","tags":["roles"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"get-security-role-name","parameters":[{"description":"The role name.","in":"path","name":"name","required":true,"schema":{"minLength":1,"type":"string"}},{"description":"If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.","in":"query","name":"replaceDeprecatedPrivileges","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application/json":{"examples":{"getRoleResponse1":{"$ref":"#/components/examples/get_role_response1"}}}}}},"summary":"Get a role","tags":["roles"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.","operationId":"put-security-role-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The role name.","in":"path","name":"name","required":true,"schema":{"maxLength":1024,"minLength":1,"type":"string"}},{"description":"When true, a role is not overwritten if it already exists.","in":"query","name":"createOnly","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"A description for the role.","maxLength":2048,"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"cluster":{"items":{"description":"Cluster privileges that define the cluster level actions that users can perform.","type":"string"},"type":"array"},"indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.","type":"boolean"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"type":"array"},"type":"object"},"names":{"items":{"description":"The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that the role members have for the data streams and indices.","type":"string"},"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.","type":"string"}},"required":["names","privileges"]},"type":"array"},"remote_cluster":{"items":{"additionalProperties":false,"type":"object","properties":{"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.","type":"string"},"minItems":1,"type":"array"}},"required":["privileges","clusters"]},"type":"array"},"remote_indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.","type":"boolean"},"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"minItems":1,"type":"array"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"type":"array"},"type":"object"},"names":{"items":{"description":"A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that role members have for the specified indices.","type":"string"},"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ","type":"string"}},"required":["clusters","names","privileges"]},"type":"array"},"run_as":{"items":{"description":"A user name that the role member can impersonate.","type":"string"},"type":"array"}}},"kibana":{"items":{"additionalProperties":false,"type":"object","properties":{"base":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"items":{"description":"A base privilege that grants applies to all spaces.","type":"string"},"type":"array"},{"items":{"description":"A base privilege that applies to specific spaces.","type":"string"},"type":"array"}]},"feature":{"additionalProperties":{"items":{"description":"The privileges that the role member has for the feature.","type":"string"},"type":"array"},"type":"object"},"spaces":{"anyOf":[{"items":{"enum":["*"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},{"items":{"description":"A space that the privilege applies to.","type":"string"},"type":"array"}],"default":["*"]}},"required":["base"]},"type":"array"},"metadata":{"additionalProperties":{},"type":"object"}},"required":["elasticsearch"]},"examples":{"createRoleRequest1":{"$ref":"#/components/examples/create_role_request1"},"createRoleRequest2":{"$ref":"#/components/examples/create_role_request2"},"createRoleRequest3":{"$ref":"#/components/examples/create_role_request3"},"createRoleRequest4":{"$ref":"#/components/examples/create_role_request4"}}}}},"responses":{"204":{"description":"Indicates a successful call."}},"summary":"Create or update a role","tags":["roles"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security/roles":{"post":{"operationId":"post-security-roles","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"roles":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"A description for the role.","maxLength":2048,"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"cluster":{"items":{"description":"Cluster privileges that define the cluster level actions that users can perform.","type":"string"},"type":"array"},"indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.","type":"boolean"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"type":"array"},"type":"object"},"names":{"items":{"description":"The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that the role members have for the data streams and indices.","type":"string"},"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.","type":"string"}},"required":["names","privileges"]},"type":"array"},"remote_cluster":{"items":{"additionalProperties":false,"type":"object","properties":{"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.","type":"string"},"minItems":1,"type":"array"}},"required":["privileges","clusters"]},"type":"array"},"remote_indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.","type":"boolean"},"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"minItems":1,"type":"array"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"type":"array"},"type":"object"},"names":{"items":{"description":"A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).","type":"string"},"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that role members have for the specified indices.","type":"string"},"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ","type":"string"}},"required":["clusters","names","privileges"]},"type":"array"},"run_as":{"items":{"description":"A user name that the role member can impersonate.","type":"string"},"type":"array"}}},"kibana":{"items":{"additionalProperties":false,"type":"object","properties":{"base":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"items":{"description":"A base privilege that grants applies to all spaces.","type":"string"},"type":"array"},{"items":{"description":"A base privilege that applies to specific spaces.","type":"string"},"type":"array"}]},"feature":{"additionalProperties":{"items":{"description":"The privileges that the role member has for the feature.","type":"string"},"type":"array"},"type":"object"},"spaces":{"anyOf":[{"items":{"enum":["*"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},{"items":{"description":"A space that the privilege applies to.","type":"string"},"type":"array"}],"default":["*"]}},"required":["base"]},"type":"array"},"metadata":{"additionalProperties":{},"type":"object"}},"required":["elasticsearch"]},"type":"object"}},"required":["roles"]}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Create or update roles","tags":["roles"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/security/session/_invalidate":{"post":{"description":"Invalidate user sessions that match a query. To use this API, you must be a superuser.\n","operationId":"post-security-session-invalidate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"invalidateRequestExample1":{"description":"Run `POST api/security/session/_invalidate` to invalidate all existing sessions.","summary":"Invalidate all sessions","value":"{\n  \"match\" : \"all\"\n}"},"invalidateRequestExample2":{"description":"Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider.","summary":"Invalidate all SAML sessions","value":"{\n  \"match\" : \"query\",\n  \"query\": {\n    \"provider\" : { \"type\": \"saml\" }\n  }\n}"},"invalidateRequestExample3":{"description":"Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`.","summary":"Invalidate sessions for a provider","value":"{\n  \"match\" : \"query\",\n  \"query\": {\n    \"provider\" : { \"type\": \"saml\", \"name\": \"saml1\" }\n  }\n}"},"invalidateRequestExample4":{"description":"Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`.","summary":"Invalidate sessions for a user","value":"{\n  \"match\" : \"query\",\n  \"query\": {\n    \"provider\" : { \"type\": \"oidc\" },\n    \"username\": \"user@my-oidc-sso.com\"\n  }\n}"}},"schema":{"type":"object","properties":{"match":{"description":"The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated.\n","enum":["all","query"],"type":"string"},"query":{"description":"The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`.\n","type":"object","properties":{"provider":{"description":"The authentication providers that will have their user sessions invalidated.","type":"object","properties":{"name":{"description":"The authentication provider name.","type":"string"},"type":{"description":"The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`.\n","type":"string"}},"required":["type"]},"username":{"description":"The username that will have its sessions invalidated.","type":"string"}},"required":["provider"]}},"required":["match"]}}}},"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"total":{"description":"The number of sessions that were successfully invalidated.","type":"integer"}}}}},"description":"Indicates a successful call"},"403":{"description":"Indicates that the user may not be authorized to invalidate sessions for other users."}},"summary":"Invalidate user sessions","tags":["user session"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/short_url":{"post":{"description":"Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share.\nShort URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page.\n","operationId":"post-url","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"humanReadableSlug":{"description":"When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true.\n","type":"boolean"},"locatorId":{"description":"The identifier for the locator.","type":"string"},"params":{"description":"An object which contains all necessary parameters for the given locator to resolve to a Kibana location.\n\u003e warn\n\u003e When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.\n","type":"object"},"slug":{"description":"A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters.\n","type":"string"}},"required":["locatorId","params"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Short_URL_APIs_urlResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a short URL","tags":["short url"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/short_url/_slug/{slug}":{"get":{"description":"Resolve a Kibana short URL by its slug.\n","operationId":"resolve-url","parameters":[{"description":"The slug of the short URL.","in":"path","name":"slug","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Short_URL_APIs_urlResponse"}}},"description":"Indicates a successful call."}},"summary":"Resolve a short URL","tags":["short url"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/short_url/{id}":{"delete":{"description":"Delete a Kibana short URL.\n","operationId":"delete-url","parameters":[{"$ref":"#/components/parameters/Short_URL_APIs_idParam"}],"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Delete a short URL","tags":["short url"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"Get a single Kibana short URL.\n","operationId":"get-url","parameters":[{"$ref":"#/components/parameters/Short_URL_APIs_idParam"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Short_URL_APIs_urlResponse"}}},"description":"Indicates a successful call."}},"summary":"Get a short URL","tags":["short url"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/_copy_saved_objects":{"post":{"description":"It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: copySavedObjectsToSpaces.","operationId":"post-spaces-copy-saved-objects","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"compatibilityMode":{"default":false,"description":"Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option.","type":"boolean"},"createNewCopies":{"default":true,"description":"Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided.  This option cannot be used with the `overwrite` and `compatibilityMode` options.","type":"boolean"},"includeReferences":{"default":false,"description":"When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces.","type":"boolean"},"objects":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"description":"The identifier of the saved object to copy.","type":"string"},"type":{"description":"The type of the saved object to copy.","type":"string"}},"required":["type","id"]},"type":"array"},"overwrite":{"default":false,"description":"When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option.","type":"boolean"},"spaces":{"items":{"description":"The identifiers of the spaces where you want to copy the specified objects.","type":"string"},"type":"array"}},"required":["spaces","objects"]},"examples":{"copySavedObjectsRequestExample1":{"$ref":"#/components/examples/copy_saved_objects_request1"},"copySavedObjectsRequestExample2":{"$ref":"#/components/examples/copy_saved_objects_request2"}}}}},"responses":{"200":{"description":"OK: A successful request.","content":{"application/json":{"examples":{"copySavedObjectsResponseExample1":{"$ref":"#/components/examples/copy_saved_objects_response1"},"copySavedObjectsResponseExample2":{"$ref":"#/components/examples/copy_saved_objects_response2"},"copySavedObjectsResponseExample3":{"$ref":"#/components/examples/copy_saved_objects_response3"},"copySavedObjectsResponseExample4":{"$ref":"#/components/examples/copy_saved_objects_response4"}}}}}},"summary":"Copy saved objects between spaces","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/_disable_legacy_url_aliases":{"post":{"operationId":"post-spaces-disable-legacy-url-aliases","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"aliases":{"items":{"additionalProperties":false,"type":"object","properties":{"sourceId":{"description":"The alias source object identifier. This is the legacy object identifier.","type":"string"},"targetSpace":{"description":"The space where the alias target object exists.","type":"string"},"targetType":{"description":"The type of alias target object. ","type":"string"}},"required":["targetSpace","targetType","sourceId"]},"type":"array"}},"required":["aliases"]},"examples":{"disableLegacyURLRequestExample1":{"$ref":"#/components/examples/disable_legacy_url_request1"}}}}},"responses":{},"summary":"Disable legacy URL aliases","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/_get_shareable_references":{"post":{"description":"Collect references and space contexts for saved objects.","operationId":"post-spaces-get-shareable-references","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"objects":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"type":"array"}},"required":["objects"]}}}},"responses":{},"summary":"Get shareable references","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/_resolve_copy_saved_objects_errors":{"post":{"description":"Overwrite saved objects that are returned as errors from the copy saved objects to space API.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: copySavedObjectsToSpaces.","operationId":"post-spaces-resolve-copy-saved-objects-errors","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"compatibilityMode":{"default":false,"type":"boolean"},"createNewCopies":{"default":true,"type":"boolean"},"includeReferences":{"default":false,"type":"boolean"},"objects":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"type":"array"},"retries":{"additionalProperties":{"items":{"additionalProperties":false,"type":"object","properties":{"createNewCopy":{"description":"Creates new copies of the saved objects, regenerates each object ID, and resets the origin.","type":"boolean"},"destinationId":{"description":"Specifies the destination identifier that the copied object should have, if different from the current identifier.","type":"string"},"id":{"description":"The saved object identifier.","type":"string"},"ignoreMissingReferences":{"description":"When set to true, any missing references errors are ignored.","type":"boolean"},"overwrite":{"default":false,"description":"When set to true, the saved object from the source space overwrites the conflicting object in the destination space.","type":"boolean"},"type":{"description":"The saved object type.","type":"string"}},"required":["type","id"]},"type":"array"},"type":"object"}},"required":["retries","objects"]},"examples":{"resolveCopySavedObjectsRequestExample1":{"$ref":"#/components/examples/resolve_copy_saved_objects_request1"},"resolveCopySavedObjectsRequestExample2":{"$ref":"#/components/examples/resolve_copy_saved_objects_request2"}}}}},"responses":{"200":{"description":"OK: A successful request.","content":{"application/json":{"examples":{"resolveCopySavedObjectsResponseExample1":{"$ref":"#/components/examples/copy_saved_objects_response1"},"resolveCopySavedObjectsResponseExample2":{"$ref":"#/components/examples/copy_saved_objects_response2"}}}}}},"summary":"Resolve conflicts copying saved objects","tags":[],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/_update_objects_spaces":{"post":{"description":"Update one or more saved objects to add or remove them from some spaces.","operationId":"post-spaces-update-objects-spaces","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"objects":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"description":"The identifier of the saved object to update.","type":"string"},"type":{"description":"The type of the saved object to update.","type":"string"}},"required":["type","id"]},"type":"array"},"spacesToAdd":{"items":{"description":"The identifiers of the spaces the saved objects should be added to or removed from.","type":"string"},"type":"array"},"spacesToRemove":{"items":{"description":"The identifiers of the spaces the saved objects should be added to or removed from.","type":"string"},"type":"array"}},"required":["objects","spacesToAdd","spacesToRemove"]},"examples":{"updateObjectSpacesRequestExample1":{"$ref":"#/components/examples/update_saved_objects_spaces_request1"}}}}},"responses":{"200":{"description":"OK: A successful request.","content":{"application/json":{"examples":{"updateObjectSpacesResponseExample1":{"$ref":"#/components/examples/update_saved_objects_spaces_response1"}}}}}},"summary":"Update saved objects in spaces","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/space":{"get":{"operationId":"get-spaces-space","parameters":[{"description":"Specifies which authorization checks are applied to the API call. The default value is `any`.","in":"query","name":"purpose","required":false,"schema":{"enum":["any","copySavedObjectsIntoSpace","shareSavedObjectsIntoSpace"],"type":"string"}},{"description":"When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter.","in":"query","name":"include_authorized_purposes","required":true,"schema":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"enum":[false],"type":"boolean","x-oas-optional":true},{"type":"boolean","x-oas-optional":true}]}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application/json":{"examples":{"getSpacesResponseExample1":{"$ref":"#/components/examples/get_spaces_response1"},"getSpacesResponseExample2":{"$ref":"#/components/examples/get_spaces_response2"}}}}}},"summary":"Get all spaces","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"operationId":"post-spaces-space","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_reserved":{"type":"boolean"},"color":{"description":"The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.","type":"string"},"description":{"description":"A description for the space.","type":"string"},"disabledFeatures":{"default":[],"items":{"description":"The list of features that are turned off in the space.","type":"string"},"type":"array"},"id":{"description":"The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.","type":"string"},"imageUrl":{"description":"The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.","type":"string"},"initials":{"description":"One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.","maxLength":2,"type":"string"},"name":{"description":"The display name for the space. ","minLength":1,"type":"string"},"solution":{"enum":["security","oblt","es","classic"],"type":"string"}},"required":["id","name"]},"examples":{"createSpaceRequest":{"$ref":"#/components/examples/create_space_request"}}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Create a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/spaces/space/{id}":{"delete":{"description":"When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone.","operationId":"delete-spaces-space-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The space identifier.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"404":{"description":"Indicates that the request failed."}},"summary":"Delete a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"get-spaces-space-id","parameters":[{"description":"The space identifier.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application/json":{"examples":{"getSpaceResponseExample":{"$ref":"#/components/examples/get_space_response"}}}}}},"summary":"Get a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"operationId":"put-spaces-space-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The space identifier. You are unable to change the ID with the update operation.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_reserved":{"type":"boolean"},"color":{"description":"The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.","type":"string"},"description":{"description":"A description for the space.","type":"string"},"disabledFeatures":{"default":[],"items":{"description":"The list of features that are turned off in the space.","type":"string"},"type":"array"},"id":{"description":"The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.","type":"string"},"imageUrl":{"description":"The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.","type":"string"},"initials":{"description":"One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.","maxLength":2,"type":"string"},"name":{"description":"The display name for the space. ","minLength":1,"type":"string"},"solution":{"enum":["security","oblt","es","classic"],"type":"string"}},"required":["id","name"]},"examples":{"updateSpaceRequest":{"$ref":"#/components/examples/update_space_request"}}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Update a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/status":{"get":{"operationId":"get-status","parameters":[{"description":"Set to \"true\" to get the response in v7 format.","in":"query","name":"v7format","required":false,"schema":{"type":"boolean"}},{"description":"Set to \"true\" to get the response in v8 format.","in":"query","name":"v8format","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"anyOf":[{"$ref":"#/components/schemas/Kibana_HTTP_APIs_core_status_response"},{"$ref":"#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse"}],"description":"Kibana's operational status. A minimal response is sent for unauthorized users."}}},"description":"Overall status is OK and Kibana should be functioning normally."},"503":{"content":{"application/json":{"schema":{"anyOf":[{"$ref":"#/components/schemas/Kibana_HTTP_APIs_core_status_response"},{"$ref":"#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse"}],"description":"Kibana's operational status. A minimal response is sent for unauthorized users."}}},"description":"Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable."}},"summary":"Get Kibana's current status","tags":["system"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches list of all streams\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams","parameters":[],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Get stream list","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/_disable":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/_disable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDisables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-disable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Disable streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/_enable":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/_enable\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nEnables wired streams\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-enable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Enable streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/_resync":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/_resync\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nResyncs all streams, making sure that Elasticsearch assets are up to date\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-resync","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Resync streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDeletes a stream definition and the underlying data stream\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Delete a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches a stream definition and associated dashboards\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Get a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreates or updates a stream definition. Classic streams can not be created through this API, only updated\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"anyOf":[{"allOf":[{"type":"object","properties":{}},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"updated_at":{"format":"date-time","type":"string"}},"required":["name","description","updated_at"]}]}},"required":["stream"]},{"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"}},"required":["dashboards","rules","queries"]},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"ingest":{"allOf":[{"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"format":"date-time","type":"string"}},"required":["steps","updated_at"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]},{"type":"object","properties":{"wired":{"additionalProperties":false,"type":"object","properties":{"fields":{"additionalProperties":{"allOf":[{"additionalProperties":{"anyOf":[{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},"type":"array"},{"items":{},"type":"array"},{}]},"type":"object"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"type":"object"},"routing":{"items":{"additionalProperties":false,"type":"object","properties":{"destination":{"description":"A non-empty string.","minLength":1,"type":"string"},"status":{"enum":["enabled","disabled"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."}},"required":["destination","where"]},"type":"array"}},"required":["fields","routing"]}},"required":["wired"]}]}},"required":["ingest"]}]}},"required":["stream"]},{"type":"object","properties":{}},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"updated_at":{"format":"date-time","type":"string"}},"required":["name","description","updated_at"]}]}},"required":["stream"]},{"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"}},"required":["dashboards","rules","queries"]},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"ingest":{"additionalProperties":false,"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"format":"date-time","type":"string"}},"required":["steps","updated_at"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]}},"required":["ingest"]}]}},"required":["stream"]},{"type":"object","properties":{}},{"type":"object","properties":{}}]},{"allOf":[{"type":"object","properties":{}},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"updated_at":{"format":"date-time","type":"string"}},"required":["name","description","updated_at"]}]}},"required":["stream"]},{"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"}},"required":["dashboards","rules","queries"]},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"ingest":{"allOf":[{"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"format":"date-time","type":"string"}},"required":["steps","updated_at"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]},{"type":"object","properties":{"classic":{"additionalProperties":false,"type":"object","properties":{"field_overrides":{"additionalProperties":{"allOf":[{"additionalProperties":{"anyOf":[{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},"type":"array"},{"items":{},"type":"array"},{}]},"type":"object"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"type":"object"}}}},"required":["classic"]}]}},"required":["ingest"]}]}},"required":["stream"]},{"type":"object","properties":{}},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"updated_at":{"format":"date-time","type":"string"}},"required":["name","description","updated_at"]}]}},"required":["stream"]},{"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"}},"required":["dashboards","rules","queries"]},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"ingest":{"additionalProperties":false,"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"format":"date-time","type":"string"}},"required":["steps","updated_at"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]}},"required":["ingest"]}]}},"required":["stream"]},{"type":"object","properties":{}},{"type":"object","properties":{}}]}]},{"allOf":[{"type":"object","properties":{}},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"updated_at":{"format":"date-time","type":"string"}},"required":["name","description","updated_at"]}]}},"required":["stream"]},{"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"}},"required":["dashboards","rules","queries"]},{"type":"object","properties":{"stream":{"allOf":[{"additionalProperties":true,"type":"object","properties":{"ingest":{"additionalProperties":true,"type":"object","properties":{"processing":{"additionalProperties":true,"type":"object","properties":{"updated_at":{"not":{}}}}},"required":["processing"]},"name":{"not":{}},"updated_at":{"not":{}}}},{"additionalProperties":false,"type":"object","properties":{"group":{"additionalProperties":false,"type":"object","properties":{"members":{"items":{"type":"string"},"type":"array"},"metadata":{"additionalProperties":{"type":"string"},"type":"object"},"tags":{"items":{"type":"string"},"type":"array"}},"required":["metadata","tags","members"]}},"required":["group"]}]}},"required":["stream"]},{"type":"object","properties":{}}]}]}}}},"responses":{},"summary":"Create or update a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/_fork":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/_fork\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nForks a wired stream and creates a child stream\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-fork","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"status":{"enum":["enabled","disabled"],"type":"string"},"stream":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."}},"required":["stream","where"]}}}},"responses":{},"summary":"Fork a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/_group":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/_group\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches the group settings of a group stream definition\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-group","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Get group stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/_group\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpserts the group settings of a group stream definition\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-group","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"group":{"additionalProperties":false,"type":"object","properties":{"members":{"items":{"type":"string"},"type":"array"},"metadata":{"additionalProperties":{"type":"string"},"type":"object"},"tags":{"items":{"type":"string"},"type":"array"}},"required":["metadata","tags","members"]}},"required":["group"]}}}},"responses":{},"summary":"Upsert group stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/_ingest":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/_ingest\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches the ingest settings of an ingest stream definition\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-ingest","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Get ingest stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/_ingest\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpserts the ingest settings of an ingest stream definition\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-ingest","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"ingest":{"anyOf":[{"allOf":[{"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"not":{}}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]},{"type":"object","properties":{"wired":{"additionalProperties":false,"type":"object","properties":{"fields":{"additionalProperties":{"allOf":[{"additionalProperties":{"anyOf":[{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},"type":"array"},{"items":{},"type":"array"},{}]},"type":"object"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"type":"object"},"routing":{"items":{"additionalProperties":false,"type":"object","properties":{"destination":{"description":"A non-empty string.","minLength":1,"type":"string"},"status":{"enum":["enabled","disabled"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."}},"required":["destination","where"]},"type":"array"}},"required":["fields","routing"]}},"required":["wired"]}]},{"allOf":[{"type":"object","properties":{"failure_store":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]}]},"lifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Base processor options plus conditional execution","type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"description":"A non-empty string or string with whitespace.","minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"description":"A non-empty string.","minLength":1,"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":false,"type":"object","properties":{"append":{},"attachment":{},"bytes":{},"circle":{},"community_id":{},"convert":{},"csv":{},"date":{},"date_index_name":{},"dissect":{},"dot_expander":{},"drop":{},"enrich":{},"fail":{},"fingerprint":{},"foreach":{},"geo_grid":{},"geoip":{},"grok":{},"gsub":{},"html_strip":{},"inference":{},"ip_location":{},"join":{},"json":{},"kv":{},"lowercase":{},"network_direction":{},"pipeline":{},"redact":{},"registered_domain":{},"remove":{},"rename":{},"reroute":{},"script":{},"set":{},"set_security_user":{},"sort":{},"split":{},"terminate":{},"trim":{},"uppercase":{},"uri_parts":{},"urldecode":{},"user_agent":{}},"required":["append","attachment","bytes","circle","community_id","convert","csv","date","date_index_name","dissect","dot_expander","drop","enrich","fail","fingerprint","foreach","ip_location","geo_grid","geoip","grok","gsub","html_strip","inference","join","json","kv","lowercase","network_direction","pipeline","redact","registered_domain","remove","rename","reroute","script","set","set_security_user","sort","split","terminate","trim","uppercase","urldecode","uri_parts","user_agent"]},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"additionalProperties":false,"type":"object","properties":{"condition":{"allOf":[{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},{"type":"object","properties":{"steps":{"items":{},"type":"array"}},"required":["steps"]}]},"customIdentifier":{"type":"string"}},"required":["condition"]}]},"type":"array"},"updated_at":{"not":{}}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store"]},{"type":"object","properties":{"classic":{"additionalProperties":false,"type":"object","properties":{"field_overrides":{"additionalProperties":{"allOf":[{"additionalProperties":{"anyOf":[{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"enum":["null"],"nullable":true},{"not":{}}]},"type":"array"},{"items":{},"type":"array"},{}]},"type":"object"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"type":"object"}}}},"required":["classic"]}]}]}},"required":["ingest"]}}}},"responses":{},"summary":"Update ingest stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/content/export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/content/export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nExports the content associated to a stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-content-export","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"include":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"objects":{"additionalProperties":false,"type":"object","properties":{"all":{"additionalProperties":false,"type":"object","properties":{}}},"required":["all"]}},"required":["objects"]},{"additionalProperties":false,"type":"object","properties":{"objects":{"additionalProperties":false,"type":"object","properties":{"mappings":{"type":"boolean"},"queries":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"routing":{"items":{"allOf":[{},{"type":"object","properties":{"destination":{"type":"string"}},"required":["destination"]}]},"type":"array"}},"required":["mappings","queries","routing"]}},"required":["objects"]}]},"name":{"type":"string"},"version":{"type":"string"}},"required":["name","description","version","include"]}}}},"responses":{},"summary":"Export stream content","tags":["streams"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/content/import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/content/import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nLinks content objects to a stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-content-import","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart/form-data":{"schema":{"additionalProperties":false,"type":"object","properties":{"content":{},"include":{"type":"string"}},"required":["include","content"]}}}},"responses":{},"summary":"Import content into a stream","tags":["streams"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/queries\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches all queries linked to a stream that are visible to the current user in the current space.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-queries","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Get stream queries","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/queries/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/queries/_bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nBulk update queries of a stream. Can add new queries and delete existing ones.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-queries-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"operations":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"index":{"allOf":[{"type":"object","properties":{"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["id","title"]},{"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"}},"required":["kql"]}]}},"required":["index"]},{"additionalProperties":false,"type":"object","properties":{"delete":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}},"required":["delete"]}]},"type":"array"}},"required":["operations"]}}}},"responses":{},"summary":"Bulk update queries","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/queries/{queryId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/queries/{queryId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRemove a query from a stream. Noop if the query is not found on the stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-name-queries-queryid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"path","name":"queryId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Remove a query from a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/queries/{queryId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAdds a query to a stream. Noop if the query is already present on the stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-queries-queryid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"path","name":"queryId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"evidence":{"items":{"type":"string"},"type":"array"},"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["title","kql"]}}}},"responses":{},"summary":"Upsert a query to a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/significant_events":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/significant_events\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRead the significant events\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-significant-events","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"in":"query","name":"bucketSize","required":true,"schema":{"type":"string"}},{"description":"Query string to filter significant events on metadata fields","in":"query","name":"query","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{},"summary":"Read the significant events","tags":["streams"],"x-state":"Technical Preview; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/significant_events/_generate":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/significant_events/_generate\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGenerate significant events queries based on the stream data\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"post-streams-name-significant-events-generate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"query","name":"connectorId","required":true,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"description":"Number of sample documents to use for generation from the current data of stream","in":"query","name":"sampleDocsSize","required":false,"schema":{"type":"number"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"feature":{"allOf":[{"type":"object","properties":{"description":{"type":"string"},"name":{"minLength":1,"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["type","name","description"]},{"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."}},"required":["filter"]},{"type":"object","properties":{"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}}}}}},"responses":{},"summary":"Generate significant events","tags":["streams"],"x-state":"Technical Preview; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{name}/significant_events/_preview":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{name}/significant_events/_preview\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nPreview significant event results based on a given query\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"post-streams-name-significant-events-preview","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"in":"query","name":"bucketSize","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"feature":{"additionalProperties":false,"type":"object","properties":{"filter":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"name":{"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["name","filter","type"]},"kql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]}},"required":["kql"]}},"required":["query"]}}}},"responses":{},"summary":"Preview significant events","tags":["streams"],"x-state":"Technical Preview; added in 9.1.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{streamName}/attachments":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{streamName}/attachments\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-streamname-attachments","parameters":[{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"Search query to filter attachments by title","in":"query","name":"query","required":false,"schema":{"type":"string"}},{"description":"Filter by attachment types (single value or array)","in":"query","name":"attachmentTypes","required":false,"schema":{"anyOf":[{"enum":["dashboard","rule","slo"],"type":"string"},{"items":{"enum":["dashboard","rule","slo"],"type":"string"},"type":"array"}]}},{"description":"Filter by tags (single value or array)","in":"query","name":"tags","required":false,"schema":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]}}],"requestBody":{"content":{"application/json":{"examples":{"listAttachmentsExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"listAttachmentsResponse":{"value":{"attachments":[{"createdAt":"2023-02-23T16:15:47.275Z","description":"Dashboard for monitoring production services","id":"dashboard-123","streamNames":["logs.awsfirehose","logs.nginx"],"tags":["monitoring","production"],"title":"My Dashboard","type":"dashboard","updatedAt":"2023-03-24T14:39:17.636Z"}]}}}}},"description":"Successfully retrieved attachments"}},"summary":"Get stream attachments","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{streamName}/attachments/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{streamName}/attachments/_bulk\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nBulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-streamname-attachments-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"bulkAttachmentsExample":{"value":{"operations":[{"index":{"id":"dashboard-123","type":"dashboard"}},{"delete":{"id":"rule-456","type":"rule"}}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"operations":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"index":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"enum":["dashboard","rule","slo"],"type":"string"}},"required":["id","type"]}},"required":["index"]},{"additionalProperties":false,"type":"object","properties":{"delete":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"enum":["dashboard","rule","slo"],"type":"string"}},"required":["id","type"]}},"required":["delete"]}]},"type":"array"}},"required":["operations"]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"bulkAttachmentsResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully performed bulk operations"}},"summary":"Bulk update attachments","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUnlinks an attachment from a stream. Noop if the attachment is not linked to the stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-streamname-attachments-attachmenttype-attachmentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"The type of the attachment","in":"path","name":"attachmentType","required":true,"schema":{"enum":["dashboard","rule","slo"],"type":"string"}},{"description":"The ID of the attachment","in":"path","name":"attachmentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"unlinkAttachmentExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"unlinkAttachmentResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully unlinked attachment"}},"summary":"Unlink an attachment from a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nLinks an attachment to a stream. Noop if the attachment is already linked to the stream.\u003cbr/\u003e\u003cbr/\u003e[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-streamname-attachments-attachmenttype-attachmentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"The type of the attachment","in":"path","name":"attachmentType","required":true,"schema":{"enum":["dashboard","rule","slo"],"type":"string"}},{"description":"The ID of the attachment","in":"path","name":"attachmentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"linkAttachmentExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"enum":["null"],"nullable":true},{"not":{}}]}}}},"responses":{"200":{"content":{"application/json":{"examples":{"linkAttachmentResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully linked attachment"}},"summary":"Link an attachment to a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/monitor/test/{monitorId}":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitor/test/{monitorId}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nTrigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures.\n","operationId":"post-synthetics-monitor-test","parameters":[{"description":"The ID (config_id) of the monitor to test.","in":"path","name":"monitorId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"testNowMonitorResponseExample1":{"value":"{\n  \"testRunId\": \"2bd506e5-4f9a-4aa6-a019-7988500afba0\",\n  \"errors\": [\n    {\n      \"locationId\": \"us_central_staging\",\n      \"error\": {\n        \"status\": 401,\n        \"reason\": \"no auth credentials provided\",\n        \"failed_monitors\": null\n      }\n    }\n  ]\n}"}},"schema":{"type":"object","properties":{"errors":{"description":"Array of errors encountered while triggering the test, one per service location.","items":{"type":"object","properties":{"error":{"type":"object","properties":{"failed_monitors":{"description":"Optional list of monitors that failed at the location.","items":{"type":"object"},"nullable":true,"type":"array"},"reason":{"description":"Human-readable explanation of the failure.","type":"string"},"status":{"description":"HTTP status code returned by the agent.","type":"integer"}},"required":["status","reason","failed_monitors"]},"locationId":{"description":"Identifier of the service location where the error occurred.","type":"string"}},"required":["locationId","error"]},"type":"array"},"testRunId":{"description":"Unique identifier for the triggered test run.","type":"string"}},"required":["testRunId"]}}},"description":"Test run triggered successfully."},"404":{"description":"Monitor not found."}},"summary":"Trigger an on-demand test run for a monitor","tags":["synthetics"],"x-state":"Generally available; added in 9.2.0","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/monitors":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of monitors.\nYou must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-synthetic-monitors","parameters":[{"description":"Additional filtering criteria.","in":"query","name":"filter","schema":{"type":"string"}},{"description":"The locations to filter by.","in":"query","name":"locations","schema":{"oneOf":[{"type":"string"},{"type":"array"}]}},{"description":"The monitor types to filter.","in":"query","name":"monitorTypes","schema":{"oneOf":[{"enum":["browser","http","icmp","tcp"],"type":"string"},{"type":"array"}]}},{"description":"The page number for paginated results.","in":"query","name":"page","schema":{"type":"integer"}},{"description":"The number of items to return per page.","in":"query","name":"per_page","schema":{"type":"integer"}},{"description":"The projects to filter by.","in":"query","name":"projects","schema":{"oneOf":[{"type":"string"},{"type":"array"}]}},{"description":"A free-text query string.","in":"query","name":"query","schema":{"type":"string"}},{"description":"The schedules to filter by.","in":"query","name":"schedules","schema":{"oneOf":[{"type":"array"},{"type":"string"}]}},{"description":"The field to sort the results by.","in":"query","name":"sortField","schema":{"enum":["name","createdAt","updatedAt","status"],"type":"string"}},{"description":"The sort order.","in":"query","name":"sortOrder","schema":{"enum":["asc","desc"],"type":"string"}},{"description":"The status to filter by.","in":"query","name":"status","schema":{"oneOf":[{"type":"array"},{"type":"string"}]}},{"description":"Tags to filter monitors.","in":"query","name":"tags","schema":{"oneOf":[{"type":"string"},{"type":"array"}]}},{"description":"Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values \"tags\" or \"locations\" or an array containing both.\n","in":"query","name":"useLogicalAndFor","schema":{"oneOf":[{"enum":["tags","locations"],"type":"string"},{"items":{"enum":["tags","locations"],"type":"string"},"type":"array"}]}}],"responses":{"200":{"content":{"application/json":{"examples":{"getSyntheticMonitorsResponseExample1":{"description":"A successful response from `GET /api/synthetics/monitors?tags=prod\u0026monitorTypes=http\u0026locations=us-east-1\u0026projects=project1\u0026status=up`.","value":"{\n    \"page\": 1,\n    \"total\": 24,\n    \"monitors\": [\n        {\n            \"type\": \"icmp\",\n            \"enabled\": false,\n            \"alert\": {\n                \"status\": {\n                    \"enabled\": true\n                },\n                \"tls\": {\n                    \"enabled\": true\n                }\n            },\n            \"schedule\": {\n                \"number\": \"3\",\n                \"unit\": \"m\"\n            },\n            \"config_id\": \"e59142e5-1fe3-4aae-b0b0-19d6345e65a1\",\n            \"timeout\": \"16\",\n            \"name\": \"8.8.8.8:80\",\n            \"locations\": [\n                {\n                    \"id\": \"us_central\",\n                    \"label\": \"North America - US Central\",\n                    \"geo\": {\n                        \"lat\": 41.25,\n                        \"lon\": -95.86\n                    },\n                    \"isServiceManaged\": true\n                }\n            ],\n            \"namespace\": \"default\",\n            \"origin\": \"ui\",\n            \"id\": \"e59142e5-1fe3-4aae-b0b0-19d6345e65a1\",\n            \"max_attempts\": 2,\n            \"wait\": \"7\",\n            \"revision\": 3,\n            \"mode\": \"all\",\n            \"ipv4\": true,\n            \"ipv6\": true,\n            \"created_at\": \"2023-11-07T09:57:04.152Z\",\n            \"updated_at\": \"2023-12-04T19:19:34.039Z\",\n            \"host\": \"8.8.8.8:80\"\n        }\n    ],\n    \"absoluteTotal\": 24,\n    \"perPage\": 10,\n}"}},"schema":{"type":"object"}}},"description":"A successful response."}},"summary":"Get monitors","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"post-synthetic-monitors","requestBody":{"content":{"application/json":{"examples":{"postSyntheticMonitorsRequestExample1":{"description":"Create an HTTP monitor to check a website's availability.","summary":"HTTP monitor","value":"{\n  \"type\": \"http\",\n  \"name\": \"Website Availability\",\n  \"url\": \"https://example.com\",\n  \"tags\": [\"website\", \"availability\"],\n  \"locations\": [\"united_kingdom\"]\n}"},"postSyntheticMonitorsRequestExample2":{"description":"Create a TCP monitor to monitor a server's availability.","summary":"TCP monitor","value":"{\n  \"type\": \"tcp\",\n  \"name\": \"Server Availability\",\n  \"host\": \"example.com\",\n  \"private_locations\": [\"my_private_location\"]\n}"},"postSyntheticMonitorsRequestExample3":{"description":"Create an ICMP monitor to perform ping checks.","summary":"ICMP monitor","value":"{\n  \"type\": \"icmp\",\n  \"name\": \"Ping Test\",\n  \"host\": \"example.com\",\n  \"locations\": [\"united_kingdom\"]\n}"},"postSyntheticMonitorsRequestExample4":{"description":"Create a browser monitor to check a website.","summary":"Browser monitor","value":"{\n  \"type\": \"browser\",\n  \"name\": \"Example journey\",\n  \"inline_script\": \"step('Go to https://google.com.co', () =\u003e page.goto('https://www.google.com'))\",\n  \"locations\": [\"united_kingdom\"]\n}"}},"schema":{"description":"The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type.\n","discriminator":{"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Synthetics_browserMonitorFields"},{"$ref":"#/components/schemas/Synthetics_httpMonitorFields"},{"$ref":"#/components/schemas/Synthetics_icmpMonitorFields"},{"$ref":"#/components/schemas/Synthetics_tcpMonitorFields"}]}}},"required":true},"responses":{"200":{"description":"A successful response."}},"summary":"Create a monitor","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/monitors/_bulk_delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors/_bulk_delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete multiple monitors by sending a list of config IDs.\n","operationId":"delete-synthetic-monitors","requestBody":{"content":{"application/json":{"examples":{"bulkDeleteRequestExample1":{"description":"Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors.","value":"{\n  \"ids\": [\n    \"monitor1-id\",\n    \"monitor2-id\"\n  ]\n}"}},"schema":{"type":"object","properties":{"ids":{"description":"An array of monitor IDs to delete.","items":{"type":"string"},"type":"array"}},"required":["ids"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"deleteMonitorsResponseExample1":{"description":"A response from successfully deleting multiple monitors.","value":"[\n  {\n    \"id\": \"monitor1-id\",\n    \"deleted\": true\n  },\n  {\n    \"id\": \"monitor2-id\",\n    \"deleted\": true\n  }\n]"}},"schema":{"items":{"description":"The API response includes information about the deleted monitors.","type":"object","properties":{"deleted":{"description":"If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted.\n","type":"boolean"},"ids":{"description":"The unique identifier of the deleted monitor.","type":"string"}}},"type":"array"}}},"description":"A successful response."}},"summary":"Delete monitors","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/monitors/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a monitor from the Synthetics app.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"delete-synthetic-monitor","parameters":[{"description":"The identifier for the monitor that you want to delete.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete a monitor","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"operationId":"get-synthetic-monitor","parameters":[{"description":"The ID of the monitor.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getSyntheticMonitorResponseExample1":{"description":"A successful response from `GET /api/synthetics/monitors/\u003cid\u003e`.","value":"{\n    \"type\": \"http\",\n    \"enabled\": true,\n    \"alert\": {\n        \"status\": {\n            \"enabled\": true\n        },\n        \"tls\": {\n            \"enabled\": true\n        }\n    },\n    \"schedule\": {\n        \"number\": \"3\",\n        \"unit\": \"m\"\n    },\n    \"config_id\": \"a8188705-d01e-4bb6-87a1-64fa5e4b07ec\",\n    \"timeout\": \"16\",\n    \"name\": \"am i something\",\n    \"locations\": [\n        {\n            \"id\": \"us_central\",\n            \"label\": \"North America - US Central\",\n            \"geo\": {\n                \"lat\": 41.25,\n                \"lon\": -95.86\n            },\n            \"isServiceManaged\": true\n        }\n    ],\n    \"namespace\": \"default\",\n    \"origin\": \"ui\",\n    \"id\": \"a8188705-d01e-4bb6-87a1-64fa5e4b07ec\",\n    \"max_attempts\": 2,\n    \"__ui\": {\n        \"is_tls_enabled\": false\n    },\n    \"max_redirects\": \"0\",\n    \"response.include_body\": \"on_error\",\n    \"response.include_headers\": true,\n    \"check.request.method\": \"GET\",\n    \"mode\": \"any\",\n    \"response.include_body_max_bytes\": \"1024\",\n    \"ipv4\": true,\n    \"ipv6\": true,\n    \"ssl.verification_mode\": \"full\",\n    \"ssl.supported_protocols\": [\n        \"TLSv1.1\",\n        \"TLSv1.2\",\n        \"TLSv1.3\"\n    ],\n    \"revision\": 13,\n    \"created_at\": \"2023-11-08T08:45:29.334Z\",\n    \"updated_at\": \"2023-12-18T20:31:44.770Z\",\n    \"url\": \"https://fast.com\"\n}"}},"schema":{"type":"object"}}},"description":"A successful response."},"404":{"description":"If the monitor is not found, the API returns a 404 error."}},"summary":"Get a monitor","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/monitors/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a monitor with the specified attributes. The required and default fields may vary based on the monitor type.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\nYou can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor.\n","operationId":"put-synthetic-monitor","parameters":[{"description":"The identifier for the monitor that you want to update.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"putSyntheticMonitorsRequestExample1":{"description":"Update an HTTP monitor that checks a website's availability.","summary":"HTTP monitor","value":"{\n  \"type\": \"http\",\n  \"name\": \"Website Availability\",\n  \"url\": \"https://example.com\",\n  \"tags\": [\"website\", \"availability\"],\n  \"locations\": [\"united_kingdom\"]\n}"},"putSyntheticMonitorsRequestExample2":{"description":"Update a TCP monitor that monitors a server's availability.","summary":"TCP monitor","value":"{\n  \"type\": \"tcp\",\n  \"name\": \"Server Availability\",\n  \"host\": \"example.com\",\n  \"private_locations\": [\"my_private_location\"]\n}"},"putSyntheticMonitorsRequestExample3":{"description":"Update an ICMP monitor that performs ping checks.","summary":"ICMP monitor","value":"{\n  \"type\": \"icmp\",\n  \"name\": \"Ping Test\",\n  \"host\": \"example.com\",\n  \"locations\": [\"united_kingdom\"]\n}"},"putSyntheticMonitorsRequestExample4":{"description":"Update a browser monitor that checks a website.","summary":"Browser monitor","value":"{\n  \"type\": \"browser\",\n  \"name\": \"Example journey\",\n  \"inline_script\": \"step('Go to https://google.com.co', () =\u003e page.goto('https://www.google.com'))\",\n  \"locations\": [\"united_kingdom\"]\n}"}},"schema":{"description":"The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type.\n","discriminator":{"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Synthetics_browserMonitorFields"},{"$ref":"#/components/schemas/Synthetics_httpMonitorFields"},{"$ref":"#/components/schemas/Synthetics_icmpMonitorFields"},{"$ref":"#/components/schemas/Synthetics_tcpMonitorFields"}],"type":"object"}}},"required":true},"responses":{"200":{"description":"OK"}},"summary":"Update a monitor","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/params":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-parameters","responses":{"200":{"content":{"application/json":{"examples":{"getParametersResponseExample1":{"description":"A successful response for a user with read-only permissions to get a list of parameters.","summary":"Read access","value":"[\n  {\n    \"id\": \"param1-id\",\n    \"key\": \"param1\",\n    \"description\": \"Description for param1\",\n    \"tags\": [\"tag1\", \"tag2\"],\n    \"namespaces\": [\"namespace1\"]\n  },\n  {\n    \"id\": \"param2-id\",\n    \"key\": \"param2\",\n    \"description\": \"Description for param2\",\n    \"tags\": [\"tag3\"],\n    \"namespaces\": [\"namespace2\"]\n  }\n]"},"getParametersResponseExample2":{"description":"A successful response for a user with write permissions to get a list of parameters.","summary":"Write access","value":"[\n  {\n    \"id\": \"param1-id\",\n    \"key\": \"param1\",\n    \"description\": \"Description for param1\",\n    \"tags\": [\"tag1\", \"tag2\"],\n    \"namespaces\": [\"namespace1\"],\n    \"value\": \"value1\"\n  },\n  {\n    \"id\": \"param2-id\",\n    \"key\": \"param2\",\n    \"description\": \"Description for param2\",\n    \"tags\": [\"tag3\"],\n    \"namespaces\": [\"namespace2\"],\n    \"value\": \"value2\"\n  }\n]"}},"schema":{"items":{"$ref":"#/components/schemas/Synthetics_getParameterResponse"},"type":"array"}}},"description":"A successful response."}},"summary":"Get parameters","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nAdd one or more parameters to the Synthetics app.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"post-parameters","requestBody":{"content":{"application/json":{"examples":{"postParametersRequestExample1":{"description":"Add a single parameter.","summary":"Single parameter","value":"{\n  \"key\": \"your-key-name\",\n  \"value\": \"your-parameter-value\",\n  \"description\": \"Param to use in browser monitor\",\n  \"tags\": [\"authentication\", \"security\"],\n  \"share_across_spaces\": true\n}"},"postParametersRequestExample2":{"description":"Add multiple parameters.","summary":"Multiple parameters","value":"[\n  {\n    \"key\": \"param1\",\n    \"value\": \"value1\"\n  },\n  {\n    \"key\": \"param2\",\n    \"value\": \"value2\"\n  }\n]"}},"schema":{"oneOf":[{"items":{"$ref":"#/components/schemas/Synthetics_parameterRequest"},"type":"array"},{"$ref":"#/components/schemas/Synthetics_parameterRequest"}]}}},"description":"The request body can contain either a single parameter object or an array of parameter objects.","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"postParametersResponseExample1":{"description":"A successful response for a single added parameter.","summary":"Single parameter","value":"{\n  \"id\": \"unique-parameter-id\",\n  \"key\": \"your-key-name\",\n  \"value\": \"your-param-value\",\n  \"description\": \"Param to use in browser monitor\",\n  \"tags\": [\"authentication\", \"security\"],\n  \"share_across_spaces\": true\n}"},"postParametersResponseExample2":{"description":"A successful response for multiple added parameters.","summary":"Multiple parameters","value":"[\n  {\n    \"id\": \"param1-id\",\n    \"key\": \"param1\",\n    \"value\": \"value1\"\n  },\n  {\n    \"id\": \"param2-id\",\n    \"key\": \"param2\",\n    \"value\": \"value2\"\n  }\n]"}},"schema":{"oneOf":[{"items":{"$ref":"#/components/schemas/Synthetics_postParameterResponse"},"type":"array"},{"$ref":"#/components/schemas/Synthetics_postParameterResponse"}]}}},"description":"A successful response."}},"summary":"Add parameters","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/params/_bulk_delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params/_bulk_delete\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete parameters from the Synthetics app.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"delete-parameters","requestBody":{"content":{"application/json":{"examples":{"deleteParametersRequestExample1":{"description":"Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters.","value":"{\n  \"ids\": [\"param1-id\", \"param2-id\"]\n}"}},"schema":{"type":"object","properties":{"ids":{"description":"An array of parameter IDs to delete.","items":{"type":"string"},"type":"array"}}}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"deleteParametersResponseExample1":{"value":"[\n  {\n    \"id\": \"param1-id\",\n    \"deleted\": true\n  }\n]"}},"schema":{"items":{"type":"object","properties":{"deleted":{"description":"Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted.\n","type":"boolean"},"id":{"description":"The unique identifier for the deleted parameter.","type":"string"}}},"type":"array"}}},"description":"A successful response."}},"summary":"Delete parameters","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/params/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a parameter from the Synthetics app.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"delete-parameter","parameters":[{"description":"The ID for the parameter to delete.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete a parameter","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a parameter from the Synthetics app.\nYou must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-parameter","parameters":[{"description":"The unique identifier for the parameter.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getParameterResponseExample1":{"description":"A successful response for a user with read-only permissions to get a single parameter.","summary":"Read access","value":"{\n  \"id\": \"unique-parameter-id\",\n  \"key\": \"your-api-key\",\n  \"description\": \"Param to use in browser monitor\",\n  \"tags\": [\"authentication\", \"security\"],\n  \"namespaces\": [\"namespace1\", \"namespace2\"]\n}"},"getParameterResponseExample2":{"description":"A successful response for a user with write permissions to get a single parameter.","summary":"Write access","value":"{\n  \"id\": \"unique-parameter-id\",\n  \"key\": \"your-param-key\",\n  \"description\": \"Param to use in browser monitor\",\n  \"tags\": [\"authentication\", \"security\"],\n  \"namespaces\": [\"namespace1\", \"namespace2\"],\n  \"value\": \"your-param-value\"\n}"}},"schema":{"$ref":"#/components/schemas/Synthetics_getParameterResponse"}}},"description":"A successful response."}},"summary":"Get a parameter","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/params/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate a parameter in the Synthetics app.\nYou must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.\n","operationId":"put-parameter","parameters":[{"description":"The unique identifier for the parameter.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"putParameterRequestExample1":{"value":"{\n  \"key\": \"updated_param_key\",\n  \"value\": \"updated-param-value\",\n  \"description\": \"Updated Param to be used in browser monitor\",\n  \"tags\": [\"authentication\", \"security\", \"updated\"]\n}"}},"schema":{"type":"object","properties":{"description":{"description":"The updated description of the parameter.","type":"string"},"key":{"description":"The key of the parameter.","type":"string"},"tags":{"description":"An array of updated tags to categorize the parameter.","items":{"type":"string"},"type":"array"},"value":{"description":"The updated value associated with the parameter.","type":"string"}}}}},"description":"The request body cannot be empty; at least one attribute is required.","required":true},"responses":{"200":{"content":{"application/json":{"examples":{"putParameterResponseExample1":{"value":"{\n  \"id\": \"param_id1\",\n  \"key\": \"updated_param_key\",\n  \"value\": \"updated-param-value\",\n  \"description\": \"Updated Param to be used in browser monitor\",\n  \"tags\": [\"authentication\", \"security\", \"updated\"]\n}"}},"schema":{"type":"object"}}},"description":"A successful response."}},"summary":"Update a parameter","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/private_locations":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/private_locations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of private locations.\nYou must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-private-locations","responses":{"200":{"content":{"application/json":{"examples":{"getPrivateLocationsResponseExample1":{"value":"[\n    {\n        \"label\": \"Test private location\",\n        \"id\": \"fleet-server-policy\",\n        \"agentPolicyId\": \"fleet-server-policy\",\n        \"isInvalid\": false,\n        \"geo\": {\n            \"lat\": 0,\n            \"lon\": 0\n        },\n        \"namespace\": \"default\"\n    },\n    {\n        \"label\": \"Test private location 2\",\n        \"id\": \"691225b0-6ced-11ee-8f5a-376306ee85ae\",\n        \"agentPolicyId\": \"691225b0-6ced-11ee-8f5a-376306ee85ae\",\n        \"isInvalid\": false,\n        \"geo\": {\n            \"lat\": 0,\n            \"lon\": 0\n        },\n        \"namespace\": \"test\"\n    }\n]"}},"schema":{"items":{"$ref":"#/components/schemas/Synthetics_getPrivateLocation"},"type":"array"}}},"description":"A successful response."}},"summary":"Get private locations","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/private_locations\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.","operationId":"post-private-location","requestBody":{"content":{"application/json":{"examples":{"postPrivateLocationRequestExample1":{"description":"Run `POST /api/private_locations` to create a private location.","value":"{\n  \"label\": \"Private Location 1\",\n  \"agentPolicyId\": \"abcd1234\",\n  \"tags\": [\"private\", \"testing\"],\n  \"geo\": {\n    \"lat\": 40.7128,\n    \"lon\": -74.0060\n  }\n  \"spaces\": [\"default\"]\n}"}},"schema":{"type":"object","properties":{"agentPolicyId":{"description":"The ID of the agent policy associated with the private location.","type":"string"},"geo":{"description":"Geographic coordinates (WGS84) for the location.","type":"object","properties":{"lat":{"description":"The latitude of the location.","type":"number"},"lon":{"description":"The longitude of the location.","type":"number"}},"required":["lat","lon"]},"label":{"description":"A label for the private location.","type":"string"},"spaces":{"description":"An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces.\n","items":{"type":"string"},"type":"array"},"tags":{"description":"An array of tags to categorize the private location.","items":{"type":"string"},"type":"array"}},"required":["agentPolicyId","label"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"postPrivateLocationResponseExample1":{"value":"{\n  \"id\": \"abcd1234\",\n  \"label\": \"Private Location 1\",\n  \"agentPolicyId\": \"abcd1234\",\n  \"tags\": [\"private\", \"testing\"],\n  \"geo\": {\n    \"lat\": 40.7128,\n    \"lon\": -74.0060\n  }\n}"}},"schema":{"type":"object"}}},"description":"A successful response."},"400":{"description":"If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message."}},"summary":"Create a private location","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/synthetics/private_locations/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/private_locations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.\nThe API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion.\nA location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location.\n","operationId":"delete-private-location","parameters":[{"description":"The unique identifier of the private location to be deleted.","in":"path","name":"id","required":true,"schema":{"maxLength":1024,"minLength":1,"type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete a private location","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/private_locations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-private-location","parameters":[{"description":"A private location identifier or label.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"examples":{"getPrivateLocationResponseExample1":{"value":"{\n    \"label\": \"Test private location\",\n    \"id\": \"test-private-location-id\",\n    \"agentPolicyId\": \"test-private-location-id\",\n    \"isServiceManaged\": false,\n    \"isInvalid\": false,\n    \"geo\": {\n        \"lat\": 0,\n        \"lon\": 0\n    },\n    \"namespace\": \"default\"\n}"}},"schema":{"$ref":"#/components/schemas/Synthetics_getPrivateLocation"}}},"description":"A successful response."}},"summary":"Get a private location","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/synthetics/private_locations/{id}\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing private location's label.\nYou must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.\nWhen a private location's label is updated, all monitors using this location will also be updated to maintain data consistency.\n","operationId":"put-private-location","parameters":[{"description":"The unique identifier of the private location to be updated.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"examples":{"putPrivateLocationRequestExample1":{"description":"Update a private location's label.","value":"{\n  \"label\": \"Updated Private Location Name\"\n}"}},"schema":{"type":"object","properties":{"label":{"description":"A new label for the private location. Must be at least 1 character long.","minLength":1,"type":"string"}},"required":["label"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"examples":{"putPrivateLocationResponseExample1":{"value":"{\n  \"label\": \"Updated Private Location Name\",\n  \"id\": \"test-private-location-id\",\n  \"agentPolicyId\": \"test-private-location-id\",\n  \"isServiceManaged\": false,\n  \"isInvalid\": false,\n  \"tags\": [\"private\", \"testing\", \"updated\"],\n  \"geo\": {\n    \"lat\": 37.7749,\n    \"lon\": -122.4194\n  },\n  \"spaces\": [\"*\"]\n}"}},"schema":{"$ref":"#/components/schemas/Synthetics_getPrivateLocation"}}},"description":"A successful response."},"400":{"description":"If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message."},"404":{"description":"If the private location with the specified ID does not exist, the API will return a 404 Not Found response."}},"summary":"Update a private location","tags":["synthetics"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/task_manager/_health":{"get":{"description":"Get the health status of the Kibana task manager.\n","operationId":"task-manager-health","responses":{"200":{"content":{"application/json":{"examples":{"taskManagerHealthResponse1":{"$ref":"#/components/examples/Task_manager_health_APIs_health_200response"}},"schema":{"$ref":"#/components/schemas/Task_manager_health_APIs_health_response"}}},"description":"Indicates a successful call"}},"summary":"Get the task manager health","tags":["task manager"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline":{"delete":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb delete\"\u003edelete\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete one or more Timelines or Timeline templates.","operationId":"DeleteTimelines","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"savedObjectIds":{"description":"The list of IDs of the Timelines or Timeline templates to delete","example":["15c1929b-0af7-42bd-85a8-56e234cc7c4e"],"items":{"type":"string"},"type":"array"},"searchIds":{"description":"Saved search IDs that should be deleted alongside the timelines","example":["23f3-43g34g322-e5g5hrh6h-45454","6ce1b592-84e3-4b4a-9552-f189d4b82075"],"items":{"type":"string"},"type":"array"}},"required":["savedObjectIds"]}}},"description":"The IDs of the Timelines or Timeline templates to delete.","required":true},"responses":{"200":{"description":"Indicates the Timeline was successfully deleted."}},"summary":"Delete Timelines or Timeline templates","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of an existing saved Timeline or Timeline template.","operationId":"GetTimeline","parameters":[{"description":"The `savedObjectId` of the template timeline to retrieve","in":"query","name":"template_timeline_id","schema":{"type":"string"}},{"description":"The `savedObjectId` of the Timeline to retrieve.","in":"query","name":"id","schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates that the (template) Timeline was found and returned."}},"summary":"Get Timeline or Timeline template details","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline.","operationId":"PatchTimeline","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"timeline":{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline","description":"The timeline object of the Timeline or Timeline template that you’re updating."},"timelineId":{"description":"The `savedObjectId` of the Timeline or Timeline template that you’re updating.","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","nullable":true,"type":"string"},"version":{"description":"The version of the Timeline or Timeline template that you’re updating.","example":"WzE0LDFd","nullable":true,"type":"string"}},"required":["timelineId","version","timeline"]}}},"description":"The Timeline updates, along with the Timeline ID and version.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates that the Timeline was successfully updated."},"405":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"update timeline error","type":"string"},"statusCode":{"example":405,"type":"number"}}}}},"description":"Indicates that the user does not have the required access to create a Timeline."}},"summary":"Update a Timeline","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new Timeline or Timeline template.","operationId":"CreateTimelines","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"status":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineStatus","nullable":true},"templateTimelineId":{"description":"A unique identifier for the Timeline template.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"templateTimelineVersion":{"description":"Timeline template version number.","example":12,"nullable":true,"type":"number"},"timeline":{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},"timelineId":{"description":"A unique identifier for the Timeline.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"timelineType":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType","nullable":true},"version":{"nullable":true,"type":"string"}},"required":["timeline"]}}},"description":"The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates the Timeline was successfully created."},"405":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"update timeline error","type":"string"},"statusCode":{"example":405,"type":"number"}}}}},"description":"Indicates that there was an error in the Timeline creation."}},"summary":"Create a Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_copy":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_copy\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCopies and returns a timeline or timeline template.\n","operationId":"CopyTimeline","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"timeline":{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},"timelineIdToCopy":{"type":"string"}},"required":["timeline","timelineIdToCopy"]}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates that the timeline has been successfully copied."}},"summary":"Copies timeline or timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_draft":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_draft\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet the details of the draft Timeline  or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned.","operationId":"GetDraftTimelines","parameters":[{"in":"query","name":"timelineType","required":true,"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates that the draft Timeline was successfully retrieved."},"403":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline."},"409":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`."}},"summary":"Get draft Timeline or Timeline template details","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_draft\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a clean draft Timeline or Timeline template for the current user.\n\u003e info\n\u003e If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.\n","operationId":"CleanDraftTimelines","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"timelineType":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType"}},"required":["timelineType"]}}},"description":"The type of Timeline to create. Valid values are `default` and `template`.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned."},"403":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"Indicates that the user does not have the required permissions to create a draft Timeline."},"409":{"content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"Indicates that there is already a draft Timeline with the given `timelineId`."}},"summary":"Create a clean draft Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_export\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nExport Timelines as an NDJSON file.","operationId":"ExportTimelines","parameters":[{"description":"The name of the file to export","in":"query","name":"file_name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"ids":{"items":{"type":"string"},"nullable":true,"type":"array"}}}}},"description":"The IDs of the Timelines to export.","required":true},"responses":{"200":{"content":{"application/ndjson":{"schema":{"description":"NDJSON of the exported Timelines","type":"string"}}},"description":"Indicates the Timelines were successfully exported."},"400":{"content":{"application/ndjson":{"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Indicates that the export size limit was exceeded."}},"summary":"Export Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_favorite":{"patch":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb patch\"\u003epatch\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_favorite\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nFavorite a Timeline or Timeline template for the current user.","operationId":"PersistFavoriteRoute","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"templateTimelineId":{"nullable":true,"type":"string"},"templateTimelineVersion":{"nullable":true,"type":"number"},"timelineId":{"nullable":true,"type":"string"},"timelineType":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType","nullable":true}},"required":["timelineId","templateTimelineId","templateTimelineVersion","timelineType"]}}},"description":"The required fields used to favorite a (template) Timeline.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse"}}},"description":"Indicates the favorite status was successfully updated."},"403":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Indicates the user does not have the required permissions to persist the favorite status."}},"summary":"Favorite a Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_import\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nImport Timelines.","operationId":"ImportTimelines","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"file":{},"isImmutable":{"description":"Whether the Timeline should be immutable","enum":["true","false"],"type":"string"}},"required":["file"]}}},"description":"The Timelines to import as a readable stream.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_ImportTimelineResult"}}},"description":"Indicates the import of Timelines was successful."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Invalid file extension","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Indicates the import of Timelines was unsuccessful because of an invalid file extension."},"404":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Unable to find saved object client","type":"string"},"statusCode":{"example":404,"type":"number"}}}}},"description":"Indicates that we were unable to locate the saved object client necessary to handle the import."},"409":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Could not import timelines","type":"string"},"statusCode":{"example":409,"type":"number"}}}}},"description":"Indicates the import of Timelines was unsuccessful."}},"summary":"Import Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/_prepackaged":{"post":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb post\"\u003epost\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/_prepackaged\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nInstall or update prepackaged Timelines.","operationId":"InstallPrepackedTimelines","requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"prepackagedTimelines":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject","nullable":true},"type":"array"},"timelinesToInstall":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_ImportTimelines","nullable":true},"type":"array"},"timelinesToUpdate":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_ImportTimelines","nullable":true},"type":"array"}},"required":["timelinesToInstall","timelinesToUpdate","prepackagedTimelines"]}}},"description":"The Timelines to install or update.","required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_ImportTimelineResult"}}},"description":"Indicates the installation of prepackaged Timelines was successful."},"500":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Indicates the installation of prepackaged Timelines was unsuccessful."}},"summary":"Install prepackaged Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/timeline/resolve":{"get":{"operationId":"ResolveTimeline","parameters":[{"description":"The ID of the template timeline to resolve","in":"query","name":"template_timeline_id","schema":{"type":"string"}},{"description":"The ID of the timeline to resolve","in":"query","name":"id","schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Security_Timeline_API_ResolvedTimeline"}}},"description":"The (template) Timeline has been found"},"400":{"description":"The request is missing parameters"},"404":{"description":"The (template) Timeline was not found"}},"summary":"Get an existing saved Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timeline/resolve\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information."}},"/api/timelines":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/timelines\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nGet a list of all saved Timelines or Timeline templates.","operationId":"GetTimelines","parameters":[{"description":"If true, only timelines that are marked as favorites by the user are returned.","in":"query","name":"only_user_favorite","schema":{"enum":["true","false"],"nullable":true,"type":"string"}},{"in":"query","name":"timeline_type","schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType","nullable":true}},{"in":"query","name":"sort_field","schema":{"$ref":"#/components/schemas/Security_Timeline_API_SortFieldTimeline"}},{"description":"Whether to sort the results `ascending` or `descending`","in":"query","name":"sort_order","schema":{"enum":["asc","desc"],"type":"string"}},{"description":"How many results should returned at once","in":"query","name":"page_size","schema":{"nullable":true,"type":"string"}},{"description":"How many pages should be skipped","in":"query","name":"page_index","schema":{"nullable":true,"type":"string"}},{"description":"Allows to search for timelines by their title","in":"query","name":"search","schema":{"nullable":true,"type":"string"}},{"in":"query","name":"status","schema":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineStatus","nullable":true}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"object","properties":{"customTemplateTimelineCount":{"description":"The amount of custom Timeline templates in the results","example":2,"type":"number"},"defaultTimelineCount":{"description":"The amount of `default` type Timelines in the results","example":90,"type":"number"},"elasticTemplateTimelineCount":{"description":"The amount of Elastic's Timeline templates in the results","example":8,"type":"number"},"favoriteCount":{"description":"The amount of favorited Timelines","example":5,"type":"number"},"templateTimelineCount":{"description":"The amount of Timeline templates in the results","example":10,"type":"number"},"timeline":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"},"type":"array"},"totalCount":{"description":"The total amount of results","example":100,"type":"number"}},"required":["timeline","totalCount"]}}},"description":"Indicates that the (template) Timelines were found and returned."},"400":{"content":{"application/json":{"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"get timeline error","type":"string"},"statusCode":{"example":405,"type":"number"}}}}},"description":"Bad request. The user supplied invalid data."}},"summary":"Get Timelines or Timeline templates","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/upgrade_assistant/status":{"get":{"description":"Check the status of your cluster.","operationId":"get-upgrade-status","responses":{"200":{"content":{"application/json":{"examples":{"getUpgradeStatusResponseExample1":{"value":"{\n  \"readyForUpgrade\": false,\n  \"cluster\": [\n    {\n      \"message\": \"Cluster deprecated issue\",\n      \"details\":\"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading.\"\n    }\n  ]\n}"}}}},"description":"Indicates a successful call."}},"summary":"Get the upgrade readiness status","tags":["upgrade"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/api/uptime/settings":{"get":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb get\"\u003eget\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/uptime/settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nYou must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges.\n","operationId":"get-uptime-settings","responses":{"200":{"content":{"application/json":{"examples":{"getUptimeSettingsResponseExample1":{"value":"{\n  \"heartbeatIndices\": \"heartbeat-8*\",\n  \"certExpirationThreshold\": 30,\n  \"certAgeThreshold\": 730,\n  \"defaultConnectors\": [\n      \"08990f40-09c5-11ee-97ae-912b222b13d4\",\n      \"db25f830-2318-11ee-9391-6b0c030836d6\"\n  ],\n  \"defaultEmail\": {\n      \"to\": [],\n      \"cc\": [],\n      \"bcc\": []\n  }\n}"}},"schema":{"type":"object"}}},"description":"Indicates a successful call"}},"summary":"Get uptime settings","tags":["uptime"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n\u003cdiv\u003e\u003cspan class=\"operation-verb put\"\u003eput\u003c/span\u003e\u0026nbsp;\u003cspan class=\"operation-path\"\u003e/s/{space_id}/api/uptime/settings\u003c/span\u003e\u003c/div\u003e\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nUpdate uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings.\n","operationId":"put-uptime-settings","requestBody":{"content":{"application/json":{"examples":{"putUptimeSettingsRequestExample1":{"description":"Run `PUT api/uptime/settings` to update multiple Uptime settings.","summary":"Update multiple settings","value":"{\n    \"heartbeatIndices\": \"heartbeat-8*\",\n    \"certExpirationThreshold\": 30,\n    \"certAgeThreshold\": 730,\n    \"defaultConnectors\": [\n        \"08990f40-09c5-11ee-97ae-912b222b13d4\",\n        \"db25f830-2318-11ee-9391-6b0c030836d6\"\n    ],\n    \"defaultEmail\": {\n        \"to\": [],\n        \"cc\": [],\n        \"bcc\": []\n    }\n}"},"putUptimeSettingsRequestExample2":{"description":"Run `PUT api/uptime/settings` to update a single Uptime setting.","summary":"Update a setting","value":"{\n    \"heartbeatIndices\": \"heartbeat-8*\",\n}"}},"schema":{"type":"object","properties":{"certAgeThreshold":{"default":730,"description":"The number of days after a certificate is created to trigger an alert.","type":"number"},"certExpirationThreshold":{"default":30,"description":"The number of days before a certificate expires to trigger an alert.","type":"number"},"defaultConnectors":{"default":[],"description":"A list of connector IDs to be used as default connectors for new alerts.","type":"array"},"defaultEmail":{"description":"The default email configuration for new alerts.\n","type":"object","properties":{"bcc":{"default":[],"items":{"type":"string"},"type":"array"},"cc":{"default":[],"items":{"type":"string"},"type":"array"},"to":{"default":[],"items":{"type":"string"},"type":"array"}}},"heartbeatIndices":{"default":"heartbeat-*","description":"An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. \n","type":"string"}}}}}},"responses":{"200":{"content":{"application/json":{"examples":{"putUptimeSettingsResponseExample1":{"description":"A successful response from `PUT api/uptime/settings`.","value":"{\n    \"heartbeatIndices\": \"heartbeat-8*\",\n    \"certExpirationThreshold\": 30,\n    \"certAgeThreshold\": 730,\n    \"defaultConnectors\": [\n        \"08990f40-09c5-11ee-97ae-912b222b13d4\",\n        \"db25f830-2318-11ee-9391-6b0c030836d6\"\n    ],\n    \"defaultEmail\": {\n        \"to\": [],\n        \"cc\": [],\n        \"bcc\": []\n    }\n}"}},"schema":{"type":"object"}}},"description":"Indicates a successful call"}},"summary":"Update uptime settings","tags":["uptime"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos":{"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"findSlosOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"description":"A valid kql query to filter the SLO with","example":"slo.name:latency* and slo.tags : \"prod\"","in":"query","name":"kqlQuery","schema":{"type":"string"}},{"description":"The page size to use for cursor-based pagination, must be greater or equal than 1","example":1,"in":"query","name":"size","schema":{"default":1,"type":"integer"}},{"description":"The cursor to use for fetching the results from, when using a cursor-base pagination.","in":"query","name":"searchAfter","schema":{"items":{"type":"string"},"type":"array"}},{"description":"The page to use for pagination, must be greater or equal than 1","example":1,"in":"query","name":"page","schema":{"default":1,"type":"integer"}},{"description":"Number of SLOs returned by page","example":25,"in":"query","name":"perPage","schema":{"default":25,"maximum":5000,"type":"integer"}},{"description":"Sort by field","example":"status","in":"query","name":"sortBy","schema":{"default":"status","enum":["sli_value","status","error_budget_consumed","error_budget_remaining"],"type":"string"}},{"description":"Sort order","example":"asc","in":"query","name":"sortDirection","schema":{"default":"asc","enum":["asc","desc"],"type":"string"}},{"description":"Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings","in":"query","name":"hideStale","schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_find_slo_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Get a paginated list of SLOs","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"post":{"description":"You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"createSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_create_slo_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_create_slo_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"409":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_409_response"}}},"description":"Conflict - The SLO id already exists"}},"summary":"Create an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/_bulk_delete":{"post":{"description":"Bulk delete SLO definitions and their associated summary and rollup data.  This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete.  The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint.\n","operationId":"bulkDeleteOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_bulk_delete_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_bulk_delete_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"}},"summary":"Bulk delete SLO definitions and their associated summary and rollup data.","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}":{"get":{"description":"Retrieve the status of the bulk deletion operation for SLOs.  This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation.\n","operationId":"bulkDeleteStatusOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"description":"The task id of the bulk delete operation","in":"path","name":"taskId","required":true,"schema":{"example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_bulk_delete_status_response"}}},"description":"Successful response"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"}},"summary":"Retrieve the status of the bulk deletion","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/_bulk_purge_rollup":{"post":{"description":"The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteRollupDataOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_bulk_purge_rollup_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_bulk_purge_rollup_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"}},"summary":"Batch delete rollup and summary data","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/_delete_instances":{"post":{"description":"The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteSloInstancesOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_delete_slo_instances_request"}}},"required":true},"responses":{"204":{"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"}},"summary":"Batch delete rollup and summary data","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/{sloId}":{"delete":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Delete an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"getSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"},{"description":"the specific instanceId used by the summary calculation","example":"host-abcde","in":"query","name":"instanceId","schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_slo_with_summary_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Get an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]},"put":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"updateSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_update_slo_request"}}},"required":true},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_slo_definition_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Update an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/{sloId}/_reset":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"resetSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_slo_definition_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Reset an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/{sloId}/disable":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"disableSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Disable an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/api/observability/slos/{sloId}/enable":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"enableSloOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"$ref":"#/components/parameters/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Enable an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}},"/s/{spaceId}/internal/observability/slos/_definitions":{"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"getDefinitionsOp","parameters":[{"$ref":"#/components/parameters/SLOs_kbn_xsrf"},{"$ref":"#/components/parameters/SLOs_space_id"},{"description":"Indicates if the API returns only outdated SLO or all SLO definitions","in":"query","name":"includeOutdatedOnly","schema":{"type":"boolean"}},{"description":"Indicates if the API returns SLO health data with definitions","example":true,"in":"query","name":"includeHealth","schema":{"type":"boolean"}},{"description":"Filters the SLOs by tag","in":"query","name":"tags","schema":{"type":"string"}},{"description":"Filters the SLOs by name","example":"my service availability","in":"query","name":"search","schema":{"type":"string"}},{"description":"The page to use for pagination, must be greater or equal than 1","example":1,"in":"query","name":"page","schema":{"type":"number"}},{"description":"Number of SLOs returned by page","example":100,"in":"query","name":"perPage","schema":{"default":100,"maximum":1000,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_find_slo_definitions_response"}}},"description":"Successful request"},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SLOs_403_response"}}},"description":"Unauthorized response"}},"summary":"Get the SLO definitions","tags":["slo"],"x-metaTags":[{"content":"Kibana","name":"product_name"}]}}},"components":{"examples":{"Alerting_get_health_response":{"summary":"Retrieve information about the health of the alerting framework.","value":{"alerting_framework_health":{"decryption_health":{"status":"ok","timestamp":"2023-01-13T01:28:00.280Z"},"execution_health":{"status":"ok","timestamp":"2023-01-13T01:28:00.280Z"},"read_health":{"status":"ok","timestamp":"2023-01-13T01:28:00.280Z"}},"has_permanent_encryption_key":true,"is_sufficiently_secure":true}},"Alerting_get_rule_types_response":{"summary":"Retrieve rule types associated with Kibana machine learning features","value":[{"action_groups":[{"id":"anomaly_score_match","name":"Anomaly score matched the condition"},{"id":"recovered","name":"Recovered"}],"action_variables":{"context":[{"description":"The bucket timestamp of the anomaly","name":"timestamp"},{"description":"The bucket time of the anomaly in ISO8601 format","name":"timestampIso8601"},{"description":"List of job IDs that triggered the alert","name":"jobIds"},{"description":"Alert info message","name":"message"},{"description":"Indicate if top hits contain interim results","name":"isInterim"},{"description":"Anomaly score at the time of the notification action","name":"score"},{"description":"Top records","name":"topRecords"},{"description":"Top influencers","name":"topInfluencers"},{"description":"URL to open in the Anomaly Explorer","name":"anomalyExplorerUrl","useWithTripleBracesInTemplates":true}],"params":[],"state":[]},"alerts":{"context":"ml.anomaly-detection","mappings":{"fieldMap":{"kibana.alert.anomaly_score":{"array":false,"type":"double","required":false},"kibana.alert.anomaly_timestamp":{"array":false,"type":"date","required":false},"kibana.alert.is_interim":{"array":false,"type":"boolean","required":false},"kibana.alert.job_id":{"array":false,"type":"keyword","required":true},"kibana.alert.top_influencers":{"array":true,"dynamic":false,"type":"object","properties":{"influencer_field_name":{"type":"keyword"},"influencer_field_value":{"type":"keyword"},"influencer_score":{"type":"double"},"initial_influencer_score":{"type":"double"},"is_interim":{"type":"boolean"},"job_id":{"type":"keyword"},"timestamp":{"type":"date"}},"required":false},"kibana.alert.top_records":{"array":true,"dynamic":false,"type":"object","properties":{"actual":{"type":"double"},"by_field_name":{"type":"keyword"},"by_field_value":{"type":"keyword"},"detector_index":{"type":"integer"},"field_name":{"type":"keyword"},"function":{"type":"keyword"},"initial_record_score":{"type":"double"},"is_interim":{"type":"boolean"},"job_id":{"type":"keyword"},"over_field_name":{"type":"keyword"},"over_field_value":{"type":"keyword"},"partition_field_name":{"type":"keyword"},"partition_field_value":{"type":"keyword"},"record_score":{"type":"double"},"timestamp":{"type":"date"},"typical":{"type":"double"}},"required":false}}},"shouldWrite":true},"authorized_consumers":{"alerts":{"all":true,"read":true},"apm":{"all":true,"read":true},"discover":{"all":true,"read":true},"infrastructure":{"all":true,"read":true},"logs":{"all":true,"read":true},"ml":{"all":true,"read":true},"monitoring":{"all":true,"read":true},"siem":{"all":true,"read":true},"slo":{"all":true,"read":true},"stackAlerts":{"all":true,"read":true},"uptime":{"all":true,"read":true}},"category":"management","default_action_group_id":"anomaly_score_match","does_set_recovery_context":true,"enabled_in_license":true,"has_alerts_mappings":true,"has_fields_for_a_a_d":true,"id":"xpack.ml.anomaly_detection_alert","is_exportable":true,"minimum_license_required":"platinum","name":"Anomaly detection alert","producer":"ml","recovery_action_group":{"id":"recovered","name":"Recovered"},"rule_task_timeout":"5m"},{"action_groups":[{"id":"anomaly_detection_realtime_issue","name":"Issue detected"},{"id":"recovered","name":"Recovered"}],"action_variables":{"context":[{"description":"Results of the rule execution","name":"results"},{"description":"Alert info message","name":"message"}],"params":[],"state":[]},"authorized_consumers":{"alerts":{"all":true,"read":true},"apm":{"all":true,"read":true},"discover":{"all":true,"read":true},"infrastructure":{"all":true,"read":true},"logs":{"all":true,"read":true},"ml":{"all":true,"read":true},"monitoring":{"all":true,"read":true},"siem":{"all":true,"read":true},"slo":{"all":true,"read":true},"stackAlerts":{"all":true,"read":true},"uptime":{"all":true,"read":true}},"category":"management","default_action_group_id":"anomaly_detection_realtime_issue","does_set_recovery_context":true,"enabled_in_license":true,"has_alerts_mappings":false,"has_fields_for_a_a_d":false,"id":"xpack.ml.anomaly_detection_jobs_health","is_exportable":true,"minimum_license_required":"platinum","name":"Anomaly detection jobs health","producer":"ml","recovery_action_group":{"id":"recovered","name":"Recovered"},"rule_task_timeout":"5m"}]},"APM_UI_agent_configuration_intake_object_delete_request1":{"description":"Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration.","value":"{\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"},"APM_UI_agent_configuration_intake_object_get_200_response1":{"description":"An example of a successful response from `GET /api/apm/settings/agent-configuration`.","value":"[\n  {\n      \"agent_name\": \"go\",\n      \"service\": {\n      \"name\": \"opbeans-go\",\n      \"environment\": \"production\"\n      },\n      \"settings\": {\n      \"transaction_sample_rate\": \"1\",\n      \"capture_body\": \"off\",\n      \"transaction_max_spans\": \"200\"\n      },\n      \"@timestamp\": 1581934104843,\n      \"applied_by_agent\": false,\n      \"etag\": \"1e58c178efeebae15c25c539da740d21dee422fc\"\n  },\n  {\n      \"agent_name\": \"go\",\n      \"service\": {\n      \"name\": \"opbeans-go\"\n      },\n      \"settings\": {\n      \"transaction_sample_rate\": \"1\",\n      \"capture_body\": \"off\",\n      \"transaction_max_spans\": \"300\"\n      },\n      \"@timestamp\": 1581934111727,\n      \"applied_by_agent\": false,\n      \"etag\": \"3eed916d3db434d9fb7f039daa681c7a04539a64\"\n  },\n  {\n      \"agent_name\": \"nodejs\",\n      \"service\": {\n      \"name\": \"frontend\"\n      },\n      \"settings\": {\n      \"transaction_sample_rate\": \"1\",\n      },\n      \"@timestamp\": 1582031336265,\n      \"applied_by_agent\": false,\n      \"etag\": \"5080ed25785b7b19f32713681e79f46996801a5b\"\n  }\n]\n"},"APM_UI_agent_configuration_intake_object_put_request1":{"description":"Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details.","value":"{\n    \"service\": {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    },\n    \"settings\": {\n        \"transaction_sample_rate\": \"0.4\",\n        \"capture_body\": \"off\",\n        \"transaction_max_spans\": \"500\"\n    },\n    \"agent_name\": \"nodejs\"\n}\n"},"APM_UI_agent_configuration_intake_object_search_200_response1":{"description":"An example of a successful response from `POST /api/apm/settings/agent-configuration/search`.","value":"{\n  \"_index\": \".apm-agent-configuration\",\n  \"_id\": \"CIaqXXABmQCdPphWj8EJ\",\n  \"_score\": 2,\n  \"_source\": {\n    \"agent_name\": \"nodejs\",\n    \"service\": {\n      \"name\": \"frontend\"\n    },\n    \"settings\": {\n      \"transaction_sample_rate\": \"1\",\n    },\n    \"@timestamp\": 1582031336265,\n    \"applied_by_agent\": false,\n    \"etag\": \"5080ed25785b7b19f32713681e79f46996801a5b\"\n  }\n}\n"},"APM_UI_agent_configuration_intake_object_search_request1":{"description":"Run `POST /api/apm/settings/agent-configuration/search` to search configuration details.","value":"{\n    \"etag\": \"1e58c178efeebae15c25c539da740d21dee422fc\",\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"},"APM_UI_agent_keys_object_post_200_response1":{"description":"An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key.","value":"{\n  \"agentKey\": {\n    \"id\": \"3DCLmn0B3ZMhLUa7WBG9\",\n    \"name\": \"apm-key\",\n    \"api_key\": \"PjGloCGOTzaZr8ilUPvkjA\",\n    \"encoded\": \"M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ==\"\n  }\n}\n"},"APM_UI_agent_keys_object_post_request1":{"description":"Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges.","value":"{\n    \"name\": \"apm-key\",\n    \"privileges\": [\"event:write\", \"config_agent:read\"]\n}\n"},"APM_UI_annotation_object_post_200_response1":{"description":"An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`.","value":"{\n  \"_index\": \"observability-annotations\",\n  \"_id\": \"Lc9I93EBh6DbmkeV7nFX\",\n  \"_version\": 1,\n  \"_seq_no\": 12,\n  \"_primary_term\": 1,\n  \"found\": true,\n  \"_source\": {\n    \"message\": \"Deployment 1.2\",\n    \"@timestamp\": \"2020-05-08T10:31:30.452Z\",\n    \"service\": {\n      \"version\": \"1.2\",\n      \"name\": \"opbeans-java\"\n    },\n    \"tags\": [\n      \"apm\",\n      \"elastic.co\",\n      \"customer\"\n    ],\n    \"annotation\": {\n      \"type\": \"deployment\"\n    },\n    \"event\": {\n      \"created\": \"2020-05-09T02:34:43.937Z\"\n    }\n  }\n}\n"},"APM_UI_source_maps_get_200_response1":{"description":"A successful response from `GET /api/apm/sourcemaps`.","value":"{\n  \"artifacts\": [\n    {\n      \"type\": \"sourcemap\",\n      \"identifier\": \"foo-1.0.0\",\n      \"relative_url\": \"/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456\",\n      \"body\": {\n        \"serviceName\": \"foo\",\n        \"serviceVersion\": \"1.0.0\",\n        \"bundleFilepath\": \"/test/e2e/general-usecase/bundle.js\",\n        \"sourceMap\": {\n          \"version\": 3,\n          \"file\": \"static/js/main.chunk.js\",\n          \"sources\": [\n            \"fleet-source-map-client/src/index.css\",\n            \"fleet-source-map-client/src/App.js\",\n            \"webpack:///./src/index.css?bb0a\",\n            \"fleet-source-map-client/src/index.js\",\n            \"fleet-source-map-client/src/reportWebVitals.js\"\n          ],\n          \"sourcesContent\": [\n            \"content\"\n          ],\n          \"mappings\": \"mapping\",\n          \"sourceRoot\": \"\"\n        }\n      },\n      \"created\": \"2021-07-09T20:47:44.812Z\",\n      \"id\": \"apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456\",\n      \"compressionAlgorithm\": \"zlib\",\n      \"decodedSha256\": \"644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456\",\n      \"decodedSize\": 441,\n      \"encodedSha256\": \"024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24\",\n      \"encodedSize\": 237,\n      \"encryptionAlgorithm\": \"none\",\n      \"packageName\": \"apm\"\n    }\n  ]\n}\n"},"APM_UI_source_maps_upload_200_response1":{"description":"A successful response from `POST /api/apm/sourcemaps`.","value":{"body":"eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI","compressionAlgorithm":"zlib","created":"2021-07-09T20:47:44.812Z","decodedSha256":"644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","decodedSize":441,"encodedSha256":"024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24","encodedSize":237,"encryptionAlgorithm":"none","id":"apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","identifier":"foo-1.0.0","packageName":"apm","relative_url":"/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","type":"sourcemap"}},"Cases_add_comment_request":{"summary":"Adds a comment to a case.","value":{"comment":"A new comment.","owner":"cases","type":"user"}},"Cases_add_comment_response":{"summary":"The add comment to case API returns a JSON object that contains details about the case and its comments.","value":{"assignees":[],"category":null,"closed_at":null,"closed_by":null,"comments":[{"comment":"A new comment.","created_at":"2022-10-02T00:49:47.716Z","created_by":{"email":null,"full_name":null,"username":"elastic"},"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","owner":"cases","type":"user","version":"WzIwNDMxLDFd"}],"connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2022-03-24T00:37:03.906Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"Field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":true}],"description":"A case description.","duration":null,"external_service":null,"id":"293f1bc0-74f6-11ea-b83a-553aecdb28b6","owner":"cases","settings":{"syncAlerts":false},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1","totalAlerts":0,"totalComment":1,"updated_at":"2022-06-03T00:49:47.716Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzIzMzgsMV0="}},"Cases_create_case_request":{"summary":"Create a security case that uses a Jira connector.","value":{"connector":{"fields":{"issueType":"10006","parent":null,"priority":"High"},"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}],"description":"A case description.","owner":"cases","settings":{"syncAlerts":true},"tags":["tag-1"],"title":"Case title 1"}},"Cases_create_case_response":{"summary":"The create case API returns a JSON object that contains details about the case.","value":{"assignees":[],"closed_at":null,"closed_by":null,"comments":[],"connector":{"fields":{"issueType":"10006","parent":null,"priority":"High"},"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira"},"created_at":"2022-10-13T15:33:50.604Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":null}],"description":"A case description.","duration":null,"external_service":null,"id":"66b9aa00-94fa-11ea-9f74-e7e108796192","owner":"cases","settings":{"syncAlerts":true},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1","totalAlerts":0,"totalComment":0,"updated_at":null,"updated_by":null,"version":"WzUzMiwxXQ=="}},"Cases_find_case_activity_response":{"summary":"Retrieves all activity for a case","value":{"page":1,"perPage":20,"total":3,"userActions":[{"action":"create","comment_id":null,"created_at":"2023-10-20T01:17:22.150Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"b4cd0770-07c9-11ed-a5fd-47154cb8767e","owner":"cases","payload":{"assignees":[],"category":null,"connector":{"fields":null,"id":"none","name":"none","type":".none"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":null}],"description":"A case description.","owner":"cases","settings":{"syncAlerts":false},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1"},"type":"create_case","version":"WzM1ODg4LDFd"},{"action":"create","comment_id":"578608d0-03b1-11ed-920c-974bfa104448","created_at":"2023-10-14T20:12:53.354Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"57af14a0-03b1-11ed-920c-974bfa104448","owner":"cases","payload":{"comment":{"comment":"A new comment","owner":"cases","type":"user"}},"type":"comment","version":"WzM1ODg4LDFa"},{"action":"add","comment_id":null,"created_at":"2023-10-20T01:10:28.238Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"573c6980-6123-11ed-aa41-81a0a61fe447","owner":"cases","payload":{"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}]},"type":"assignees","version":"WzM1ODg4LDFb"}]}},"Cases_find_case_response":{"summary":"Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time.","value":{"cases":[{"assignees":[],"category":null,"closed_at":null,"closed_by":null,"comments":[],"connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2023-10-12T00:16:36.371Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":null}],"description":"Case description","duration":null,"external_service":null,"id":"abed3a70-71bd-11ea-a0b2-c51ea50a58e2","owner":"cases","settings":{"syncAlerts":true},"severity":"low","status":"open","tags":["tag-1"],"title":"Case title","totalAlerts":0,"totalComment":1,"updated_at":"2023-10-12T00:27:58.162Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzExMCwxXQ=="}],"count_closed_cases":0,"count_in_progress_cases":0,"count_open_cases":1,"page":1,"per_page":5,"total":1}},"Cases_find_connector_response":{"summary":"Retrieve information about the connectors and their settings.","value":[{"actionTypeId":".jira","config":{"apiUrl":"https://elastic.atlassian.net/","projectKey":"ES"},"id":"61787f53-4eee-4741-8df6-8fe84fa616f7","isDeprecated":false,"isMissingSecrets":false,"isPreconfigured":false,"name":"my-Jira","referencedByCount":0}]},"Cases_get_case_alerts_response":{"summary":"Retrieves all alerts attached to a case","value":[{"attached_at":"2022-07-25T20:09:40.963Z","id":"f6a7d0c3-d52d-432c-b2e6-447cd7fce04d","index":".alerts-observability.logs.alerts-default"}]},"Cases_get_case_configuration_response":{"summary":"Get the case configuration.","value":[{"closure_type":"close-by-user","connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2024-07-01T17:07:17.767Z","created_by":{"email":null,"full_name":null,"username":"elastic"},"customFields":[{"defaultValue":"Custom text field value.","key":"d312efda-ec2b-42ec-9e2c-84981795c581","label":"my-text-field","type":"text","required":false}],"error":null,"id":"856ee650-6c82-11ee-a20a-6164169afa58","mappings":[],"owner":"cases","templates":[{"caseFields":{"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"category":"Default-category","connector":{"fields":null,"id":"none","name":"none","type":".none"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"Default text field value."}],"description":"A default description for cases.","settings":{"syncAlerts":false},"tags":["Default case tag"],"title":"Default case title"},"description":"A description of the template.","key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"]}],"updated_at":null,"updated_by":null,"version":"WzEyLDNd"}]},"Cases_get_case_observability_response":{"summary":"Retrieves information about an Observability case including its alerts and comments.","value":{"assignees":[{"uid":"u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"}],"category":null,"closed_at":null,"closed_by":null,"comments":[{"alertId":["a6e12ac4-7bce-457b-84f6-d7ce8deb8446"],"created_at":"2023-11-06T19:29:38.424Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"59d438d0-79a9-4864-8d4b-e63adacebf6e","index":[".internal.alerts-observability.logs.alerts-default-000001"],"owner":"observability","pushed_at":null,"pushed_by":null,"rule":{"id":"03e4eb87-62ca-4e5d-9570-3d7625e9669d","name":"Observability rule"},"type":"alert","updated_at":null,"updated_by":null,"version":"WzY3LDJd"},{"comment":"The first comment.","created_at":"2023-11-06T19:29:57.812Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"d99342d3-3aa3-4b80-90ec-a702607604f5","owner":"observability","pushed_at":null,"pushed_by":null,"type":"user","updated_at":null,"updated_by":null,"version":"WzcyLDJd"}],"connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2023-11-06T19:29:04.086Z","created_by":{"email":null,"full_name":null,"username":"elastic"},"customFields":[],"description":"An Observability case description.","duration":null,"external_service":null,"id":"c3ff7550-def1-4e90-b6bc-c9969a4a09b1","owner":"observability","settings":{"syncAlerts":false},"severity":"low","status":"in-progress","tags":["observability","tag 1"],"title":"Observability case title 1","totalAlerts":1,"totalComment":1,"updated_at":"2023-11-06T19:47:55.662Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzI0NywyXQ=="}},"Cases_get_case_response":{"summary":"Retrieves information about a case including its comments.","value":{"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"category":null,"closed_at":null,"closed_by":null,"comments":[{"comment":"A new comment","created_at":"2023-10-13T15:40:32.335Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"2134c1d0-02c2-11ed-85f2-4f7c222ca2fa","owner":"cases","pushed_at":null,"pushed_by":null,"type":"user","updated_at":null,"updated_by":null,"version":"WzM3LDFd"}],"connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2023-10-13T15:33:50.604Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":null}],"description":"A case description","duration":null,"external_service":null,"id":"31cdada0-02c1-11ed-85f2-4f7c222ca2fa","owner":"cases","settings":{"syncAlerts":true},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1","totalAlerts":0,"totalComment":1,"updated_at":"2023-10-13T15:40:32.335Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzM2LDFd"}},"Cases_get_comment_response":{"summary":"A single user comment retrieved from a case","value":{"comment":"A new comment","created_at":"2023-10-07T19:32:13.104Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"8048b460-fe2b-11ec-b15d-779a7c8bbcc3","owner":"cases","pushed_at":null,"pushed_by":null,"type":"user","updated_at":null,"updated_by":null,"version":"WzIzLDFd"}},"Cases_get_reporters_response":{"summary":"A list of two users that opened cases","value":[{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},{"email":"jdoe@example.com","full_name":"Jane Doe","profile_uid":"u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0","username":"jdoe"}]},"Cases_get_tags_response":{"summary":"A list of tags that are used in cases","value":["observability","security","tag 1","tag 2"]},"Cases_push_case_response":{"summary":"The push case API returns a JSON object with details about the case and the external service.","value":{"closed_at":null,"closed_by":null,"comments":[],"connector":{"fields":{"issueType":"10006","parent":null,"priority":"Low"},"id":"09f8c0b0-0eda-11ed-bd18-65557fe66949","name":"My connector","type":".jira"},"created_at":"2022-07-29T00:59:39.444Z","created_by":{"email":null,"full_name":null,"username":"elastic"},"description":"A case description.","duration":null,"external_service":{"connector_id":"09f8c0b0-0eda-11ed-bd18-65557fe66949","connector_name":"My connector","external_id":"71926","external_title":"ES-554","external_url":"https://cases.jira.com","pushed_at":"2022-07-29T01:20:58.436Z","pushed_by":{"email":null,"full_name":null,"username":"elastic"}},"id":"b917f300-0ed9-11ed-bd18-65557fe66949","owner":"cases","settings":{"syncAlerts":true},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1","totalAlerts":0,"totalComment":0,"updated_at":"2022-07-29T01:20:58.436Z","updated_by":{"email":null,"full_name":null,"username":"elastic"},"version":"WzE3NjgsM10="}},"Cases_set_case_configuration_request":{"summary":"Set the closure type, custom fields, and default connector for Stack Management cases.","value":{"closure_type":"close-by-user","connector":{"fields":null,"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira"},"customFields":[{"defaultValue":"My custom field default value.","key":"d312efda-ec2b-42ec-9e2c-84981795c581","label":"my-text-field","type":"text","required":false}],"owner":"cases","templates":[{"caseFields":{"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"category":"Default-category","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}],"description":"A default description for cases.","tags":["Default case tag"],"title":"Default case title"},"description":"A description of the template.","key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"]}]}},"Cases_set_case_configuration_response":{"summary":"This is an example response for case settings.","value":{"closure_type":"close-by-user","connector":{"fields":null,"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira"},"created_at":"2024-07-01T17:07:17.767Z","created_by":{"email":"null,","full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"defaultValue":"My custom field default value.","key":"d312efda-ec2b-42ec-9e2c-84981795c581","label":"my-text-field","type":"text","required":false}],"error":null,"id":"4a97a440-e1cd-11ec-be9b-9b1838238ee6","mappings":[{"action_type":"overwrite","source":"title","target":"summary"},{"action_type":"overwrite","source":"description","target":"description"},{"action_type":"append","source":"comments","target":"comments"},{"action_type":"overwrite","source":"tags","target":"labels"}],"owner":"cases","templates":[{"caseFields":{"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"category":"Default-category","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}],"description":"A default description for cases.","tags":["Default case tag"],"title":"Default case title"},"description":"A description of the template.","key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"]}],"updated_at":null,"updated_by":null,"version":"WzIwNzMsMV0="}},"Cases_update_case_configuration_request":{"summary":"Update the case settings.","value":{"closure_type":"close-by-user","connector":{"fields":null,"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira"},"customFields":[{"defaultValue":"A new default value.","key":"d312efda-ec2b-42ec-9e2c-84981795c581","label":"my-text-field","type":"text","required":true},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","label":"my-toggle","type":"toggle","required":false}],"version":"WzExOSw0XQ=="}},"Cases_update_case_configuration_response":{"summary":"This is an example response when the case configuration was updated.","value":{"closure_type":"close-by-user","connector":{"fields":null,"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira"},"created_at":"2024-07-01T17:07:17.767Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"defaultValue":"A new default value.","key":"d312efda-ec2b-42ec-9e2c-84981795c581","label":"my-text-field","type":"text","required":true},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","label":"my-toggle","type":"toggle","required":false}],"error":null,"id":"4a97a440-e1cd-11ec-be9b-9b1838238ee6","mappings":[{"action_type":"overwrite","source":"title","target":"summary"},{"action_type":"overwrite","source":"description","target":"description"},{"action_type":"overwrite","source":"tags","target":"labels"},{"action_type":"append","source":"comments","target":"comments"}],"owner":"cases","templates":[],"updated_at":"2024-07-19T00:52:42.401Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzI2LDNd"}},"Cases_update_case_request":{"summary":"Update the case description, tags, and connector.","value":{"cases":[{"connector":{"fields":{"issueType":"10006","parent":null,"priority":null},"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira"},"customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}],"description":"A case description.","id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","settings":{"syncAlerts":true},"tags":["tag-1"],"version":"WzIzLDFd"}]}},"Cases_update_case_response":{"summary":"This is an example response when the case description, tags, and connector were updated.","value":[{"assignees":[],"category":null,"closed_at":null,"closed_by":null,"comments":[],"connector":{"fields":{"issueType":"10006","parent":null,"priority":null},"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira"},"created_at":"2023-10-13T09:16:17.416Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false}],"description":"A case description.","duration":null,"external_service":{"connector_id":"05da469f-1fde-4058-99a3-91e4807e2de8","connector_name":"Jira","external_id":"10003","external_title":"IS-4","external_url":"https://hms.atlassian.net/browse/IS-4","pushed_at":"2023-10-13T09:20:40.672Z","pushed_by":{"email":null,"full_name":null,"username":"elastic"}},"id":"66b9aa00-94fa-11ea-9f74-e7e108796192","owner":"cases","settings":{"syncAlerts":true},"severity":"low","status":"open","tags":["tag-1"],"title":"Case title 1","totalAlerts":0,"totalComment":0,"updated_at":"2023-10-13T09:48:33.043Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzU0OCwxXQ=="}]},"Cases_update_comment_request":{"summary":"Updates a comment of a case.","value":{"comment":"An updated comment.","id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","owner":"cases","type":"user","version":"Wzk1LDFd"}},"Cases_update_comment_response":{"summary":"The add comment to case API returns a JSON object that contains details about the case and its comments.","value":{"assignees":[],"category":null,"closed_at":null,"closed_by":null,"comments":[{"comment":"An updated comment.","created_at":"2023-10-24T00:37:10.832Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","owner":"cases","pushed_at":null,"pushed_by":null,"type":"user","updated_at":"2023-10-24T01:27:06.210Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzIwNjM3LDFd"}],"connector":{"fields":null,"id":"none","name":"none","type":".none"},"created_at":"2023-10-24T00:37:03.906Z","created_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false}],"description":"A case description.","duration":null,"external_service":null,"id":"293f1bc0-74f6-11ea-b83a-553aecdb28b6","owner":"cases","settings":{"syncAlerts":false},"severity":"low","status":"open","tags":["tag 1"],"title":"Case title 1","totalAlerts":0,"totalComment":1,"updated_at":"2023-10-24T01:27:06.210Z","updated_by":{"email":null,"full_name":null,"profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","username":"elastic"},"version":"WzIwNjM2LDFd"}},"Data_views_create_data_view_request":{"summary":"Create a data view with runtime fields.","value":{"data_view":{"name":"My Logstash data view","runtimeFieldMap":{"runtime_shape_name":{"script":{"source":"emit(doc['shape_name'].value)"},"type":"keyword"}},"title":"logstash-*"}}},"Data_views_create_runtime_field_request":{"summary":"Create a runtime field.","value":{"name":"runtimeFoo","runtimeField":{"script":{"source":"emit(doc[\"foo\"].value)"},"type":"long"}}},"Data_views_get_data_view_response":{"summary":"The get data view API returns a JSON object that contains information about the data view.","value":{"data_view":{"allowNoIndex":false,"fieldAttrs":{"products.manufacturer":{"count":1},"products.price":{"count":1},"products.product_name":{"count":1},"total_quantity":{"count":1}},"fieldFormats":{"products.base_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.base_unit_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.min_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.taxful_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.taxless_price":{"id":"number","params":{"pattern":"$0,0.00"}},"taxful_total_price":{"id":"number","params":{"pattern":"$0,0.[00]"}},"taxless_total_price":{"id":"number","params":{"pattern":"$0,0.00"}}},"fields":{"_id":{"aggregatable":false,"count":0,"esTypes":["_id"],"format":{"id":"string"},"isMapped":true,"name":"_id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_index":{"aggregatable":true,"count":0,"esTypes":["_index"],"format":{"id":"string"},"isMapped":true,"name":"_index","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_score":{"aggregatable":false,"count":0,"format":{"id":"number"},"isMapped":true,"name":"_score","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"number"},"_source":{"aggregatable":false,"count":0,"esTypes":["_source"],"format":{"id":"_source"},"isMapped":true,"name":"_source","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"_source"},"category":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"category","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"category.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"category.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"category"}},"type":"string"},"currency":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"currency","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_birth_date":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"customer_birth_date","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"customer_first_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_first_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_first_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_first_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_first_name"}},"type":"string"},"customer_full_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_full_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_full_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_full_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_full_name"}},"type":"string"},"customer_gender":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_gender","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_id":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_last_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_last_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_last_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_last_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_last_name"}},"type":"string"},"customer_phone":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_phone","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"day_of_week":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"day_of_week","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"day_of_week_i":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"day_of_week_i","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"email":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"email","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"event.dataset":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"event.dataset","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.city_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.city_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.continent_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.continent_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.country_iso_code":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.country_iso_code","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.location":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"geoip.location","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"geoip.region_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.region_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"manufacturer":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"manufacturer","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"manufacturer.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"manufacturer.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"manufacturer"}},"type":"string"},"order_date":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"order_date","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"order_id":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"order_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products._id":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products._id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products._id.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products._id.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products._id"}},"type":"string"},"products.base_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.base_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.base_unit_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.base_unit_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.category":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.category","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.category.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.category.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.category"}},"type":"string"},"products.created_on":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"products.created_on","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"products.discount_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.discount_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.discount_percentage":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.discount_percentage","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.manufacturer":{"aggregatable":false,"count":1,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.manufacturer","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.manufacturer.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.manufacturer.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.manufacturer"}},"type":"string"},"products.min_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.min_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.price":{"aggregatable":true,"count":1,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.product_id":{"aggregatable":true,"count":0,"esTypes":["long"],"format":{"id":"number"},"isMapped":true,"name":"products.product_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.product_name":{"aggregatable":false,"count":1,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.product_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.product_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.product_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.product_name"}},"type":"string"},"products.quantity":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"products.quantity","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.sku":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.sku","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.tax_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.tax_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.taxful_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.taxful_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.taxless_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.taxless_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.unit_discount_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.unit_discount_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"sku":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"sku","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"taxful_total_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.[00]"}},"isMapped":true,"name":"taxful_total_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"taxless_total_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"taxless_total_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"total_quantity":{"aggregatable":true,"count":1,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"total_quantity","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"total_unique_products":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"total_unique_products","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"type":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"type","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"user":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"user","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"}},"id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","name":"Kibana Sample Data eCommerce","namespaces":["default"],"runtimeFieldMap":{},"sourceFilters":[],"timeFieldName":"order_date","title":"kibana_sample_data_ecommerce","typeMeta":{},"version":"WzUsMV0="}}},"Data_views_get_data_views_response":{"summary":"The get all data views API returns a list of data views.","value":{"data_view":[{"id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","name":"Kibana Sample Data eCommerce","namespaces":["default"],"title":"kibana_sample_data_ecommerce","typeMeta":{}},{"id":"d3d7af60-4c81-11e8-b3d7-01146121b73d","name":"Kibana Sample Data Flights","namespaces":["default"],"title":"kibana_sample_data_flights"},{"id":"90943e30-9a47-11e8-b64d-95841ca0b247","name":"Kibana Sample Data Logs","namespaces":["default"],"title":"kibana_sample_data_logs"}]}},"Data_views_get_default_data_view_response":{"summary":"The get default data view API returns the default data view identifier.","value":{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}},"Data_views_get_runtime_field_response":{"summary":"The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`).","value":{"data_view":{"allowNoIndex":false,"fieldAttrs":{},"fieldFormats":{"AvgTicketPrice":{"id":"number","params":{"pattern":"$0,0.[00]"}},"hour_of_day":{"id":"number","params":{"pattern":"00"}}},"fields":{"_id":{"aggregatable":false,"count":0,"esTypes":["_id"],"format":{"id":"string"},"isMapped":true,"name":"_id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_index":{"aggregatable":true,"count":0,"esTypes":["_index"],"format":{"id":"string"},"isMapped":true,"name":"_index","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_score":{"aggregatable":false,"count":0,"format":{"id":"number"},"isMapped":true,"name":"_score","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"number"},"_source":{"aggregatable":false,"count":0,"esTypes":["_source"],"format":{"id":"_source"},"isMapped":true,"name":"_source","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"_source"},"AvgTicketPrice":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number","params":{"pattern":"$0,0.[00]"}},"isMapped":true,"name":"AvgTicketPrice","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Cancelled":{"aggregatable":true,"count":0,"esTypes":["boolean"],"format":{"id":"boolean"},"isMapped":true,"name":"Cancelled","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"boolean"},"Carrier":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Carrier","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"dayOfWeek":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"dayOfWeek","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Dest":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Dest","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestAirportID":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestAirportID","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestCityName":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestCityName","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestCountry":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestCountry","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestLocation":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"DestLocation","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"DestRegion":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestRegion","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestWeather":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestWeather","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DistanceKilometers":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"DistanceKilometers","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"DistanceMiles":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"DistanceMiles","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"FlightDelay":{"aggregatable":true,"count":0,"esTypes":["boolean"],"format":{"id":"boolean"},"isMapped":true,"name":"FlightDelay","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"boolean"},"FlightDelayMin":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"FlightDelayMin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"FlightDelayType":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightDelayType","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightNum":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightNum","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightTimeHour":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightTimeHour","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightTimeMin":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"FlightTimeMin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"hour_of_day":{"aggregatable":true,"count":0,"esTypes":["long"],"format":{"id":"number","params":{"pattern":"00"}},"name":"hour_of_day","readFromDocValues":false,"runtimeField":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"},"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Origin":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Origin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginAirportID":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginAirportID","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginCityName":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginCityName","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginCountry":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginCountry","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginLocation":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"OriginLocation","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"OriginRegion":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginRegion","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginWeather":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginWeather","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"timestamp":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"timestamp","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"}},"id":"d3d7af60-4c81-11e8-b3d7-01146121b73d","name":"Kibana Sample Data Flights","runtimeFieldMap":{"hour_of_day":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"}},"sourceFilters":[],"timeFieldName":"timestamp","title":"kibana_sample_data_flights","version":"WzM2LDJd"},"fields":[{"aggregatable":true,"count":0,"esTypes":["long"],"name":"hour_of_day","readFromDocValues":false,"runtimeField":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"},"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"}]}},"Data_views_preview_swap_data_view_request":{"summary":"Preview swapping references from data view ID \"abcd-efg\" to \"xyz-123\".","value":{"fromId":"abcd-efg","toId":"xyz-123"}},"Data_views_set_default_data_view_request":{"summary":"Set the default data view identifier.","value":{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}},"Data_views_swap_data_view_request":{"summary":"Swap references from data view ID \"abcd-efg\" to \"xyz-123\" and remove the data view that is no longer referenced.","value":{"delete":true,"fromId":"abcd-efg","toId":"xyz-123"}},"Data_views_update_data_view_request":{"summary":"Update some properties for a data view.","value":{"data_view":{"allowNoIndex":false,"name":"Kibana Sample Data eCommerce","timeFieldName":"order_date","title":"kibana_sample_data_ecommerce"},"refresh_fields":true}},"Data_views_update_field_metadata_request":{"summary":"Update metadata for multiple fields.","value":{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customDescription":"Field 2 description","customLabel":"Field 2 label"}}}},"Data_views_update_runtime_field_request":{"summary":"Update an existing runtime field on a data view.","value":{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}},"Machine_learning_APIs_mlSync401Example":{"summary":"Two anomaly detection jobs required synchronization in this example.","value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]","statusCode":401}},"Machine_learning_APIs_mlSyncExample":{"summary":"Two anomaly detection jobs required synchronization in this example.","value":{"datafeedsAdded":{},"datafeedsRemoved":{},"savedObjectsCreated":{"anomaly-detector":{"myjob1":{"success":true},"myjob2":{"success":true}}},"savedObjectsDeleted":{}}},"Saved_objects_key_rotation_response":{"summary":"Encryption key rotation using default parameters.","value":{"failed":0,"successful":300,"total":1000}},"Saved_objects_resolve_missing_reference_request":{"value":{"file":"file.ndjson","retries":[{"id":"my-pattern","overwrite":true,"type":"index-pattern"},{"destinationId":"another-vis","id":"my-vis","overwrite":true,"type":"visualization"},{"destinationId":"yet-another-canvas","id":"my-canvas","overwrite":true,"type":"canvas"},{"id":"my-dashboard","type":"dashboard"}]}},"Saved_objects_resolve_missing_reference_response":{"summary":"Resolve missing reference errors.","value":{"success":true,"successCount":3,"successResults":[{"id":"my-vis","meta":{"icon":"visualizeApp","title":"Look at my visualization"},"type":"visualization"},{"id":"my-search","meta":{"icon":"searchApp","title":"Look at my search"},"type":"search"},{"id":"my-dashboard","meta":{"icon":"dashboardApp","title":"Look at my dashboard"},"type":"dashboard"}]}},"Task_manager_health_APIs_health_200response":{"description":"A successful response from `GET api/task_manager/_health`.","value":"{\n  \"id\": \"330bbc6a-56cd-44d5-88e3-e3229f14d619\",\n  \"timestamp\": \"2025-03-21T21:30:04.780Z\",\n  \"status\": \"OK\",\n  \"last_update\": \"2025-03-21T21:30:04.455Z\",\n  \"stats\": {\n    \"configuration\": {\n      \"timestamp\": \"2025-03-21T21:26:10.002Z\",\n      \"value\": {\n        \"request_capacity\": 1000,\n        \"monitored_aggregated_stats_refresh_rate\": 60000,\n        \"monitored_stats_running_average_window\": 50,\n        \"monitored_task_execution_thresholds\": {\n          \"custom\": {},\n          \"default\": {\n            \"error_threshold\": 90,\n            \"warn_threshold\": 80\n          }\n        },\n        \"claim_strategy\": \"mget\",\n        \"poll_interval\": 500,\n        \"capacity\": {\n          \"config\": 10,\n          \"as_workers\": 10,\n          \"as_cost\": 20\n        }\n      },\n      \"status\": \"OK\"\n    },\n    \"runtime\": {\n      \"timestamp\": \"2025-03-21T21:30:04.455Z\",\n      \"value\": {\n        \"polling\": {\n          \"last_successful_poll\": \"2025-03-21T21:30:04.455Z\",\n          \"last_polling_delay\": \"2025-03-21T21:26:10.001Z\",\n          \"claim_duration\": {\n            \"p50\": 17,\n            \"p90\": 22,\n            \"p95\": 25,\n            \"p99\": 27\n          },\n          \"duration\": {\n            \"p50\": 19,\n            \"p90\": 25.5,\n            \"p95\": 28,\n            \"p99\": 28\n          },\n          \"claim_conflicts\": {\n            \"p50\": 0,\n            \"p90\": 0,\n            \"p95\": 0,\n            \"p99\": 0\n          },\n          \"claim_mismatches\": {\n            \"p50\": 0,\n            \"p90\": 0,\n            \"p95\": 0,\n            \"p99\": 0\n          },\n          \"claim_stale_tasks\": {\n            \"p50\": 0,\n            \"p90\": 0,\n            \"p95\": 0,\n            \"p99\": 0\n          },\n          \"result_frequency_percent_as_number\": {\n            \"Failed\": 0,\n            \"NoAvailableWorkers\": 0,\n            \"NoTasksClaimed\": 100,\n            \"RanOutOfCapacity\": 0,\n            \"RunningAtCapacity\": 0,\n            \"PoolFilled\": 0\n          },\n          \"persistence\": {\n            \"recurring\": 88,\n            \"non_recurring\": 12\n          }\n        },\n        \"drift\": {\n          \"p50\": 2089,\n          \"p90\": 3037,\n          \"p95\": 3037,\n          \"p99\": 3037\n        },\n        \"drift_by_type\": {\n          \"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK\": {\n            \"p50\": 2082,\n            \"p90\": 2082,\n            \"p95\": 2082,\n            \"p99\": 2082\n          },\n          \"fleet:check-deleted-files-task\": {\n            \"p50\": 2080,\n            \"p90\": 2080,\n            \"p95\": 2080,\n            \"p99\": 2080\n          },\n          \"osquery:telemetry-saved-queries\": {\n            \"p50\": 2080,\n            \"p90\": 2080,\n            \"p95\": 2080,\n            \"p99\": 2080\n          },\n          \"task_manager:mark_removed_tasks_as_unrecognized\": {\n            \"p50\": 2089,\n            \"p90\": 2089,\n            \"p95\": 2089,\n            \"p99\": 2089\n          },\n          \"task_manager:delete_inactive_background_task_nodes\": {\n            \"p50\": 336.5,\n            \"p90\": 2089,\n            \"p95\": 2089,\n            \"p99\": 2089\n          },\n          \"alerts_invalidate_api_keys\": {\n            \"p50\": 2086,\n            \"p90\": 2086,\n            \"p95\": 2086,\n            \"p99\": 2086\n          },\n          \"fleet:unenroll-inactive-agents-task\": {\n            \"p50\": 2080,\n            \"p90\": 2080,\n            \"p95\": 2080,\n            \"p99\": 2080\n          },\n          \"alerting_health_check\": {\n            \"p50\": 2086,\n            \"p90\": 2086,\n            \"p95\": 2086,\n            \"p99\": 2086\n          },\n          \"Fleet-Usage-Sender\": {\n            \"p50\": 2079,\n            \"p90\": 2079,\n            \"p95\": 2079,\n            \"p99\": 2079\n          },\n          \"security:endpoint-diagnostics\": {\n            \"p50\": 2525,\n            \"p90\": 2525,\n            \"p95\": 2525,\n            \"p99\": 2525\n          },\n          \"logs-data-telemetry\": {\n            \"p50\": 2525,\n            \"p90\": 2525,\n            \"p95\": 2525,\n            \"p99\": 2525\n          },\n          \"security:telemetry-lists\": {\n            \"p50\": 2525,\n            \"p90\": 2525,\n            \"p95\": 2525,\n            \"p99\": 2525\n          },\n          \"security:telemetry-timelines\": {\n            \"p50\": 2526,\n            \"p90\": 2526,\n            \"p95\": 2526,\n            \"p99\": 2526\n          },\n          \"cases-telemetry-task\": {\n            \"p50\": 2083,\n            \"p90\": 2083,\n            \"p95\": 2083,\n            \"p99\": 2083\n          },\n          \"osquery:telemetry-packs\": {\n            \"p50\": 2530,\n            \"p90\": 2530,\n            \"p95\": 2530,\n            \"p99\": 2530\n          },\n          \"Fleet-Metrics-Task\": {\n            \"p50\": 133.5,\n            \"p90\": 2530,\n            \"p95\": 2530,\n            \"p99\": 2530\n          },\n          \"fleet:delete-unenrolled-agents-task\": {\n            \"p50\": 2530,\n            \"p90\": 2530,\n            \"p95\": 2530,\n            \"p99\": 2530\n          },\n          \"osquery:telemetry-configs\": {\n            \"p50\": 2529,\n            \"p90\": 2529,\n            \"p95\": 2529,\n            \"p99\": 2529\n          },\n          \"endpoint:complete-external-response-actions\": {\n            \"p50\": 519,\n            \"p90\": 2526,\n            \"p95\": 2526,\n            \"p99\": 2526\n          },\n          \"security:telemetry-detection-rules\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:telemetry-prebuilt-rule-alerts\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:endpoint-meta-telemetry\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:telemetry-filterlist-artifact\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:telemetry-diagnostic-timelines\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:telemetry-configuration\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"security:indices-metadata-telemetry\": {\n            \"p50\": 3037,\n            \"p90\": 3037,\n            \"p95\": 3037,\n            \"p99\": 3037\n          },\n          \"Fleet-Usage-Logger\": {\n            \"p50\": 2190,\n            \"p90\": 2190,\n            \"p95\": 2190,\n            \"p99\": 2190\n          },\n          \"obs-ai-assistant:knowledge-base-migration\": {\n            \"p50\": 2189,\n            \"p90\": 2189,\n            \"p95\": 2189,\n            \"p99\": 2189\n          },\n          \"dashboard_telemetry\": {\n            \"p50\": 2452,\n            \"p90\": 2452,\n            \"p95\": 2452,\n            \"p99\": 2452\n          },\n          \"session_cleanup\": {\n            \"p50\": 2569,\n            \"p90\": 2569,\n            \"p95\": 2569,\n            \"p99\": 2569\n          },\n          \"ProductDocBase:EnsureUpToDate\": {\n            \"p50\": 2452,\n            \"p90\": 2452,\n            \"p95\": 2452,\n            \"p99\": 2452\n          },\n          \"apm-telemetry-task\": {\n            \"p50\": 2591,\n            \"p90\": 2591,\n            \"p95\": 2591,\n            \"p99\": 2591\n          },\n          \"ML:saved-objects-sync\": {\n            \"p50\": 2475,\n            \"p90\": 2475,\n            \"p95\": 2475,\n            \"p99\": 2475\n          },\n          \"apm-source-map-migration-task\": {\n            \"p50\": 1603.5,\n            \"p90\": 2987,\n            \"p95\": 2987,\n            \"p99\": 2987\n          },\n          \"actions_telemetry\": {\n            \"p50\": 771,\n            \"p90\": 771,\n            \"p95\": 771,\n            \"p99\": 771\n          },\n          \"alerting_telemetry\": {\n            \"p50\": 768,\n            \"p90\": 768,\n            \"p95\": 768,\n            \"p99\": 768\n          },\n          \"endpoint:metadata-check-transforms-task\": {\n            \"p50\": 834,\n            \"p90\": 834,\n            \"p95\": 834,\n            \"p99\": 834\n          },\n          \"endpoint:user-artifact-packager\": {\n            \"p50\": 529.5,\n            \"p90\": 835,\n            \"p95\": 835,\n            \"p99\": 835\n          },\n          \"fleet:bump_agent_policies\": {\n            \"p50\": 361,\n            \"p90\": 361,\n            \"p95\": 361,\n            \"p99\": 361\n          }\n        },\n        \"load\": {\n          \"p50\": 10,\n          \"p90\": 100,\n          \"p95\": 100,\n          \"p99\": 100\n        },\n        \"execution\": {\n          \"duration\": {\n            \"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK\": {\n              \"p50\": 24,\n              \"p90\": 24,\n              \"p95\": 24,\n              \"p99\": 24\n            },\n            \"fleet:check-deleted-files-task\": {\n              \"p50\": 24,\n              \"p90\": 24,\n              \"p95\": 24,\n              \"p99\": 24\n            },\n            \"osquery:telemetry-saved-queries\": {\n              \"p50\": 25,\n              \"p90\": 25,\n              \"p95\": 25,\n              \"p99\": 25\n            },\n            \"task_manager:mark_removed_tasks_as_unrecognized\": {\n              \"p50\": 28,\n              \"p90\": 28,\n              \"p95\": 28,\n              \"p99\": 28\n            },\n            \"task_manager:delete_inactive_background_task_nodes\": {\n              \"p50\": 7.5,\n              \"p90\": 29,\n              \"p95\": 29,\n              \"p99\": 29\n            },\n            \"alerts_invalidate_api_keys\": {\n              \"p50\": 34,\n              \"p90\": 34,\n              \"p95\": 34,\n              \"p99\": 34\n            },\n            \"fleet:unenroll-inactive-agents-task\": {\n              \"p50\": 39,\n              \"p90\": 39,\n              \"p95\": 39,\n              \"p99\": 39\n            },\n            \"alerting_health_check\": {\n              \"p50\": 42,\n              \"p90\": 42,\n              \"p95\": 42,\n              \"p99\": 42\n            },\n            \"Fleet-Usage-Sender\": {\n              \"p50\": 78,\n              \"p90\": 78,\n              \"p95\": 78,\n              \"p99\": 78\n            },\n            \"security:endpoint-diagnostics\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"logs-data-telemetry\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"security:telemetry-lists\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"security:telemetry-timelines\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"cases-telemetry-task\": {\n              \"p50\": 458,\n              \"p90\": 458,\n              \"p95\": 458,\n              \"p99\": 458\n            },\n            \"osquery:telemetry-packs\": {\n              \"p50\": 10,\n              \"p90\": 10,\n              \"p95\": 10,\n              \"p99\": 10\n            },\n            \"Fleet-Metrics-Task\": {\n              \"p50\": 5,\n              \"p90\": 10,\n              \"p95\": 10,\n              \"p99\": 10\n            },\n            \"fleet:delete-unenrolled-agents-task\": {\n              \"p50\": 11,\n              \"p90\": 11,\n              \"p95\": 11,\n              \"p99\": 11\n            },\n            \"osquery:telemetry-configs\": {\n              \"p50\": 12,\n              \"p90\": 12,\n              \"p95\": 12,\n              \"p99\": 12\n            },\n            \"endpoint:complete-external-response-actions\": {\n              \"p50\": 7,\n              \"p90\": 11,\n              \"p95\": 11,\n              \"p99\": 11\n            },\n            \"security:telemetry-detection-rules\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"security:telemetry-prebuilt-rule-alerts\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"security:endpoint-meta-telemetry\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"security:telemetry-filterlist-artifact\": {\n              \"p50\": 5,\n              \"p90\": 5,\n              \"p95\": 5,\n              \"p99\": 5\n            },\n            \"security:telemetry-diagnostic-timelines\": {\n              \"p50\": 5,\n              \"p90\": 5,\n              \"p95\": 5,\n              \"p99\": 5\n            },\n            \"security:telemetry-configuration\": {\n              \"p50\": 5,\n              \"p90\": 5,\n              \"p95\": 5,\n              \"p99\": 5\n            },\n            \"security:indices-metadata-telemetry\": {\n              \"p50\": 5,\n              \"p90\": 5,\n              \"p95\": 5,\n              \"p99\": 5\n            },\n            \"Fleet-Usage-Logger\": {\n              \"p50\": 18,\n              \"p90\": 18,\n              \"p95\": 18,\n              \"p99\": 18\n            },\n            \"obs-ai-assistant:knowledge-base-migration\": {\n              \"p50\": 8,\n              \"p90\": 8,\n              \"p95\": 8,\n              \"p99\": 8\n            },\n            \"dashboard_telemetry\": {\n              \"p50\": 12,\n              \"p90\": 12,\n              \"p95\": 12,\n              \"p99\": 12\n            },\n            \"session_cleanup\": {\n              \"p50\": 58,\n              \"p90\": 58,\n              \"p95\": 58,\n              \"p99\": 58\n            },\n            \"ProductDocBase:EnsureUpToDate\": {\n              \"p50\": 147,\n              \"p90\": 147,\n              \"p95\": 147,\n              \"p99\": 147\n            },\n            \"apm-telemetry-task\": {\n              \"p50\": 543,\n              \"p90\": 543,\n              \"p95\": 543,\n              \"p99\": 543\n            },\n            \"ML:saved-objects-sync\": {\n              \"p50\": 544,\n              \"p90\": 544,\n              \"p95\": 544,\n              \"p99\": 544\n            },\n            \"apm-source-map-migration-task\": {\n              \"p50\": 1649,\n              \"p90\": 3282,\n              \"p95\": 3282,\n              \"p99\": 3282\n            },\n            \"actions_telemetry\": {\n              \"p50\": 19,\n              \"p90\": 19,\n              \"p95\": 19,\n              \"p99\": 19\n            },\n            \"alerting_telemetry\": {\n              \"p50\": 64,\n              \"p90\": 64,\n              \"p95\": 64,\n              \"p99\": 64\n            },\n            \"endpoint:metadata-check-transforms-task\": {\n              \"p50\": 6,\n              \"p90\": 6,\n              \"p95\": 6,\n              \"p99\": 6\n            },\n            \"endpoint:user-artifact-packager\": {\n              \"p50\": 10,\n              \"p90\": 13,\n              \"p95\": 13,\n              \"p99\": 13\n            },\n            \"fleet:bump_agent_policies\": {\n              \"p50\": 9,\n              \"p90\": 9,\n              \"p95\": 9,\n              \"p99\": 9\n            }\n          },\n          \"duration_by_persistence\": {\n            \"recurring\": {\n              \"p50\": 9,\n              \"p90\": 63.39999999999999,\n              \"p95\": 474.99999999999966,\n              \"p99\": 544\n            },\n            \"non_recurring\": {\n              \"p50\": 14,\n              \"p90\": 2968.500000000001,\n              \"p95\": 3282,\n              \"p99\": 3282\n            }\n          },\n          \"persistence\": {\n            \"recurring\": 88,\n            \"non_recurring\": 12\n          },\n          \"result_frequency_percent_as_number\": {\n            \"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"fleet:check-deleted-files-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"osquery:telemetry-saved-queries\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"task_manager:mark_removed_tasks_as_unrecognized\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"task_manager:delete_inactive_background_task_nodes\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"alerts_invalidate_api_keys\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"fleet:unenroll-inactive-agents-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"alerting_health_check\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"Fleet-Usage-Sender\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:endpoint-diagnostics\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"logs-data-telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-lists\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-timelines\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"cases-telemetry-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"osquery:telemetry-packs\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"Fleet-Metrics-Task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"fleet:delete-unenrolled-agents-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"osquery:telemetry-configs\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"endpoint:complete-external-response-actions\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-detection-rules\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-prebuilt-rule-alerts\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:endpoint-meta-telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-filterlist-artifact\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-diagnostic-timelines\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:telemetry-configuration\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"security:indices-metadata-telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"Fleet-Usage-Logger\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"obs-ai-assistant:knowledge-base-migration\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"dashboard_telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"session_cleanup\": {\n              \"Success\": 0,\n              \"RetryScheduled\": 100,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"ProductDocBase:EnsureUpToDate\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"apm-telemetry-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"ML:saved-objects-sync\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"apm-source-map-migration-task\": {\n              \"Success\": 50,\n              \"RetryScheduled\": 50,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"actions_telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"alerting_telemetry\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"endpoint:metadata-check-transforms-task\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"endpoint:user-artifact-packager\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            },\n            \"fleet:bump_agent_policies\": {\n              \"Success\": 100,\n              \"RetryScheduled\": 0,\n              \"Failed\": 0,\n              \"status\": \"OK\"\n            }\n          }\n        }\n      },\n      \"status\": \"OK\"\n    },\n    \"workload\": {\n      \"timestamp\": \"2025-03-21T21:29:10.367Z\",\n      \"value\": {\n        \"count\": 35,\n        \"cost\": 70,\n        \"task_types\": {\n          \"Fleet-Metrics-Task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"Fleet-Usage-Logger\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"Fleet-Usage-Sender\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"ML:saved-objects-sync\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"actions_telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"alerting_health_check\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"alerting_telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"alerts_invalidate_api_keys\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"apm-telemetry-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"cases-telemetry-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"dashboard_telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"endpoint:complete-external-response-actions\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"endpoint:metadata-check-transforms-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"endpoint:user-artifact-packager\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"fleet:check-deleted-files-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"fleet:delete-unenrolled-agents-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"fleet:unenroll-inactive-agents-task\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"logs-data-telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"osquery:telemetry-configs\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"osquery:telemetry-packs\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"osquery:telemetry-saved-queries\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:endpoint-diagnostics\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:endpoint-meta-telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:indices-metadata-telemetry\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-configuration\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-detection-rules\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-diagnostic-timelines\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-filterlist-artifact\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-lists\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-prebuilt-rule-alerts\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"security:telemetry-timelines\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"session_cleanup\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"task_manager:delete_inactive_background_task_nodes\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          },\n          \"task_manager:mark_removed_tasks_as_unrecognized\": {\n            \"count\": 1,\n            \"cost\": 2,\n            \"status\": {\n              \"idle\": 1\n            }\n          }\n        },\n        \"non_recurring\": 1,\n        \"non_recurring_cost\": 2,\n        \"schedule\": [\n          [\n            \"1m\",\n            2\n          ],\n          [\n            \"60s\",\n            2\n          ],\n          [\n            \"5m\",\n            2\n          ],\n          [\n            \"10m\",\n            1\n          ],\n          [\n            \"15m\",\n            1\n          ],\n          [\n            \"45m\",\n            1\n          ],\n          [\n            \"1h\",\n            9\n          ],\n          [\n            \"3600s\",\n            1\n          ],\n          [\n            \"60m\",\n            1\n          ],\n          [\n            \"2h\",\n            1\n          ],\n          [\n            \"720m\",\n            2\n          ],\n          [\n            \"24h\",\n            7\n          ],\n          [\n            \"1d\",\n            3\n          ],\n          [\n            \"1440m\",\n            1\n          ]\n        ],\n        \"overdue\": 0,\n        \"overdue_cost\": 0,\n        \"overdue_non_recurring\": 0,\n        \"estimated_schedule_density\": [\n          0,\n          0,\n          0,\n          1,\n          1,\n          1,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          1,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0,\n          0\n        ],\n        \"capacity_requirements\": {\n          \"per_minute\": 4,\n          \"per_hour\": 46,\n          \"per_day\": 27\n        }\n      },\n      \"status\": \"OK\"\n    },\n    \"capacity_estimation\": {\n      \"status\": \"OK\",\n      \"reason\": \"Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) \u003c capacityPerMinutePerKibana (1200)\",\n      \"timestamp\": \"2025-03-21T21:30:04.780Z\",\n      \"value\": {\n        \"observed\": {\n          \"observed_kibana_instances\": 1,\n          \"max_throughput_per_minute_per_kibana\": 1200,\n          \"max_throughput_per_minute\": 1200,\n          \"minutes_to_drain_overdue\": 0,\n          \"avg_recurring_required_throughput_per_minute\": 5,\n          \"avg_recurring_required_throughput_per_minute_per_kibana\": 5,\n          \"avg_required_throughput_per_minute\": 149,\n          \"avg_required_throughput_per_minute_per_kibana\": 149\n        },\n        \"proposed\": {\n          \"provisioned_kibana\": 2,\n          \"min_required_kibana\": 1,\n          \"avg_recurring_required_throughput_per_minute_per_kibana\": 3,\n          \"avg_required_throughput_per_minute_per_kibana\": 75\n        }\n      }\n    }\n  }\n}"},"get_connector_types_generativeai_response":{"summary":"A list of connector types for the `generativeAI` feature.","value":[{"id":".gen-ai","name":"OpenAI","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity","generativeAIForObservability","generativeAIForSearchPlayground"],"is_system_action_type":false},{"id":".bedrock","name":"AWS Bedrock","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity","generativeAIForObservability","generativeAIForSearchPlayground"],"is_system_action_type":false},{"id":".gemini","name":"Google Gemini","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity"],"is_system_action_type":false}]},"get_connector_response":{"summary":"Get connector details.","value":{"id":"df770e30-8b8b-11ed-a780-3b746c987a81","name":"my_server_log_connector","config":{},"connector_type_id":".server-log","is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"update_index_connector_request":{"summary":"Update an index connector.","value":{"name":"updated-connector","config":{"index":"updated-index"}}},"create_email_connector_request":{"summary":"Create an email connector.","value":{"name":"email-connector-1","connector_type_id":".email","config":{"from":"tester@example.com","hasAuth":true,"host":"https://example.com","port":1025,"secure":false,"service":"other"},"secrets":{"user":"username","password":"password"}}},"create_index_connector_request":{"summary":"Create an index connector.","value":{"name":"my-connector","connector_type_id":".index","config":{"index":"test-index"}}},"create_webhook_connector_request":{"summary":"Create a webhook connector with SSL authentication.","value":{"name":"my-webhook-connector","connector_type_id":".webhook","config":{"method":"post","url":"https://example.com","authType":"webhook-authentication-ssl","certType":"ssl-crt-key"},"secrets":{"crt":"QmFnIEF0dH...","key":"LS0tLS1CRUdJ...","password":"my-passphrase"}}},"create_xmatters_connector_request":{"summary":"Create an xMatters connector with URL authentication.","value":{"name":"my-xmatters-connector","connector_type_id":".xmatters","config":{"usesBasic":false},"secrets":{"secretsUrl":"https://example.com?apiKey=xxxxx"}}},"create_email_connector_response":{"summary":"A new email connector.","value":{"id":"90a82c60-478f-11ee-a343-f98a117c727f","connector_type_id":".email","name":"email-connector-1","config":{"from":"tester@example.com","service":"other","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"tenantId":null,"clientId":null,"oauthTokenUrl":null},"is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"create_index_connector_response":{"summary":"A new index connector.","value":{"id":"c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad","connector_type_id":".index","name":"my-connector","config":{"index":"test-index","refresh":false,"executionTimeField":null},"is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"create_webhook_connector_response":{"summary":"A new webhook connector.","value":{"id":"900eb010-3b9d-11ee-a642-8ffbb94e38bd","name":"my-webhook-connector","config":{"method":"post","url":"https://example.com","authType":"webhook-authentication-ssl","certType":"ssl-crt-key","verificationMode":"full","headers":null,"hasAuth":true},"connector_type_id":".webhook","is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"run_index_connector_request":{"summary":"Run an index connector.","value":{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}},"run_jira_connector_request":{"summary":"Run a Jira connector to retrieve the list of issue types.","value":{"params":{"subAction":"issueTypes"}}},"run_servicenow_itom_connector_request":{"summary":"Run a ServiceNow ITOM connector to retrieve the list of choices.","value":{"params":{"subAction":"getChoices","subActionParams":{"fields":["severity","urgency"]}}}},"run_slack_api_connector_request":{"summary":"Run a Slack connector that uses the web API method to post a message on a channel.","value":{"params":{"subAction":"postMessage","subActionParams":{"channelIds":["C123ABC456"],"text":"A test message."}}}},"run_swimlane_connector_request":{"summary":"Run a Swimlane connector to create an incident.","value":{"params":{"subAction":"pushToService","subActionParams":{"comments":[{"commentId":1,"comment":"A comment about the incident."}],"incident":{"caseId":"1000","caseName":"Case name","description":"Description of the incident."}}}}},"run_index_connector_response":{"summary":"Response from running an index connector.","value":{"connector_id":"fd38c600-96a5-11ed-bb79-353b74189cba","data":{"errors":false,"items":[{"create":{"_id":"4JtvwYUBrcyxt2NnfW3y","_index":"my-index","_primary_term":1,"_seq_no":0,"_shards":{"failed":0,"successful":1,"total":2},"_version":1,"result":"created","status":201}}],"took":135},"status":"ok"}},"run_jira_connector_response":{"summary":"Response from retrieving the list of issue types for a Jira connector.","value":{"connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6","data":[{"id":10024,"name":"Improvement"},{"id":10006,"name":"Task"},{"id":10007,"name":"Sub-task"},{"id":10025,"name":"New Feature"},{"id":10023,"name":"Bug"},{"id":10000,"name":"Epic"}],"status":"ok"}},"run_server_log_connector_response":{"summary":"Response from running a server log connector.","value":{"connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907","status":"ok"}},"run_servicenow_itom_connector_response":{"summary":"Response from retrieving the list of choices for a ServiceNow ITOM connector.","value":{"connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698","data":[{"dependent_value":"","element":"severity","label":"Critical","value":1},{"dependent_value":"","element":"severity","label":"Major","value":2},{"dependent_value":"","element":"severity","label":"Minor","value":3},{"dependent_value":"","element":"severity","label":"Warning","value":4},{"dependent_value":"","element":"severity","label":"OK","value":5},{"dependent_value":"","element":"severity","label":"Clear","value":0},{"dependent_value":"","element":"urgency","label":"1 - High","value":1},{"dependent_value":"","element":"urgency","label":"2 - Medium","value":2},{"dependent_value":"","element":"urgency","label":"3 - Low","value":3}],"status":"ok"}},"run_slack_api_connector_response":{"summary":"Response from posting a message with a Slack connector.","value":{"status":"ok","data":{"ok":true,"channel":"C123ABC456","ts":"1234567890.123456","message":{"bot_id":"B12BCDEFGHI","type":"message","text":"A test message","user":"U12A345BC6D","ts":"1234567890.123456","app_id":"A01BC2D34EF","blocks":[{"type":"rich_text","block_id":"/NXe","elements":[{"type":"rich_text_section","elements":[{"type":"text","text":"A test message."}]}]}],"team":"T01ABCDE2F","bot_profile":{"id":"B12BCDEFGHI","app_id":"A01BC2D34EF","name":"test","icons":{"image_36":"https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"},"deleted":false,"updated":1672169705,"team_id":"T01ABCDE2F"}}},"connector_id":".slack_api"}},"run_swimlane_connector_response":{"summary":"Response from creating a Swimlane incident.","value":{"connector_id":"a4746470-2f94-11ed-b0e0-87533c532698","data":{"id":"aKPmBHWzmdRQtx6Mx","title":"TEST-457","url":"https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx","pushedDate":"2022-09-08T16:52:27.866Z","comments":[{"commentId":1,"pushedDate":"2022-09-08T16:52:27.865Z"}]},"status":"ok"}},"get_connectors_response":{"summary":"A list of connectors","value":[{"id":"preconfigured-email-connector","name":"my-preconfigured-email-notification","connector_type_id":".email","is_preconfigured":true,"is_deprecated":false,"referenced_by_count":0,"is_system_action":false},{"id":"e07d0c80-8b8b-11ed-a780-3b746c987a81","name":"my-index-connector","config":{"index":"test-index","refresh":false,"executionTimeField":null},"connector_type_id":".index","is_preconfigured":false,"is_deprecated":false,"referenced_by_count":2,"is_missing_secrets":false,"is_system_action":false}]},"get_roles_response1":{"summary":"Get all role details","value":[{"name":"my_kibana_role","description":"My kibana role description","metadata":{"version":1},"transient_metadata":{"enabled":true},"elasticsearch":{"indices":[],"cluster":[],"run_as":[]},"kibana":[{"base":["all"],"feature":{},"spaces":["*"]}]},{"name":"my_admin_role","description":"My admin role description","metadata":{"version":1},"transient_metadata":{"enabled":true},"elasticsearch":{"cluster":["all"],"indices":[{"names":["index1","index2"],"privileges":["all"],"field_security":{"grant":["title","body"]},"query":"{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}"}]},"kibana":[]}]},"get_role_response1":{"summary":"Get role details","value":{"name":"my_kibana_role","description":"Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.","metadata":{"version":1},"transient_metadata":{"enabled":true},"elasticsearch":{"cluster":["all"],"remote_cluster":[{"privileges":["monitor_enrich"],"clusters":["remote_cluster1"]}],"indices":[{"names":["index1","index2"],"privileges":["all"],"allow_restricted_indices":false}],"remote_indices":[{"names":["remote_index1","remote_index2"],"privileges":["all"],"allow_restricted_indices":false,"clusters":["remote_cluster1"]}],"run_as":[]},"kibana":[{"base":["all"],"feature":{},"spaces":["default"]}],"_transform_error":[],"_unrecognized_applications":[]}},"create_role_request1":{"summary":"Feature privileges in multiple spaces","description":"Grant access to various features in some spaces.","value":{"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","metadata":{"version":1},"elasticsearch":{"cluster":[],"indices":[]},"kibana":[{"base":[],"feature":{"discover":["all"],"dashboard":["all"]},"spaces":["default"]},{"base":["read"],"spaces":["marketing","sales"]}]}},"create_role_request2":{"summary":"Dashboard privileges in a space","description":"Grant access to dashboard features in a Marketing space.","value":{"description":"Grant dashboard access in the Marketing space.","metadata":{"version":1},"elasticsearch":{"cluster":[],"indices":[]},"kibana":[{"base":[],"feature":{"dashboard":["read"]},"spaces":["marketing"]}]}},"create_role_request3":{"summary":"Feature privileges in a space","description":"Grant full access to all features in the default space.","value":{"metadata":{"version":1},"elasticsearch":{"cluster":[],"indices":[]},"kibana":[{"base":["all"],"feature":{},"spaces":["default"]}]}},"create_role_request4":{"summary":"Elasticsearch and Kibana feature privileges","description":"Grant Elasticsearch and Kibana feature privileges.","value":{"description":"Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.","metadata":{"version":1},"elasticsearch":{"cluster":["all"],"indices":[{"names":["index1","index2"],"privileges":["all"]}],"remote_indices":[{"clusters":["remote_cluster1"],"names":["remote_index1","remote_index2"],"privileges":["all"]}],"remote_cluster":[{"clusters":["remote_cluster1"],"privileges":["monitor_enrich"]}]},"kibana":[{"base":["all"],"feature":{},"spaces":["default"]}]}},"copy_saved_objects_request1":{"summary":"Copy with createNewCopies","description":"Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view.\n","value":{"objects":[{"type":"dashboard","id":"my-dashboard"}],"spaces":["marketing"],"includeReferences":true}},"copy_saved_objects_request2":{"summary":"Copy without createNewCopies","description":"Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view.\n","value":{"objects":[{"type":"dashboard","id":"my-dashboard"}],"spaces":["marketing"],"includeReferences":true,"createNewCopies":false}},"copy_saved_objects_response1":{"summary":"Copy with createNewCopies","description":"The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute.\n","value":{"marketing":{"success":true,"successCount":3,"successResults":[{"id":"my-dashboard","type":"dashboard","destinationId":"1e127098-5b80-417f-b0f1-c60c8395358f","meta":{"icon":"dashboardApp","title":"Look at my dashboard"}},{"id":"my-vis","type":"visualization","destinationId":"a610ed80-1c73-4507-9e13-d3af736c8e04","meta":{"icon":"visualizeApp","title":"Look at my visualization"}},{"id":"my-index-pattern","type":"index-pattern","destinationId":"bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b","meta":{"icon":"indexPatternApp","title":"my-pattern-*"}}]}}},"copy_saved_objects_response2":{"summary":"Copy without createNewCopies","description":"The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created.\n","value":{"marketing":{"success":true,"successCount":3,"successResults":[{"id":"my-dashboard","type":"dashboard","meta":{"icon":"dashboardApp","title":"Look at my dashboard"}},{"id":"my-vis","type":"visualization","meta":{"icon":"visualizeApp","title":"Look at my visualization"}},{"id":"my-index-pattern","type":"index-pattern","meta":{"icon":"indexPatternApp","title":"my-pattern-*"}}]}}},"copy_saved_objects_response3":{"summary":"Failed copy response with conflict errors","description":"A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API.\n","value":{"marketing":{"success":true,"successCount":4,"successResults":[{"id":"my-dashboard","type":"dashboard","meta":{"icon":"dashboardApp","title":"Look at my dashboard"}},{"id":"my-vis","type":"visualization","meta":{"icon":"visualizeApp","title":"Look at my visualization"}},{"id":"my-canvas","type":"canvas-workpad","meta":{"icon":"canvasApp","title":"Look at my canvas"}},{"id":"my-index-pattern","type":"index-pattern","meta":{"icon":"indexPatternApp","title":"my-pattern-*"}}]},"sales":{"success":false,"successCount":"1,","errors":[{"id":"my-pattern","type":"index-pattern","title":"my-pattern-*","error":{"type":"conflict"},"meta":{"icon":"indexPatternApp","title":"my-pattern-*"}},{"id":"my-visualization","type":"my-vis","title":"Look at my visualization","error":{"type":"conflict","destinationId":"another-vis"},"meta":{"icon":"visualizeApp","title":"Look at my visualization"}},{"id":"my-canvas","type":"canvas-workpad","title":"Look at my canvas","error":{"type":"ambiguous_conflict","destinations":[{"id":"another-canvas","title":"Look at another canvas","updatedAt":"2020-07-08T16:36:32.377Z"},{"id":"yet-another-canvas","title":"Look at yet another canvas","updatedAt":"2020-07-05T12:29:54.849Z"}]},"meta":{"icon":"canvasApp","title":"Look at my canvas"}}],"successResults\"":[{"id":"my-dashboard","type":"dashboard","meta":{"icon":"dashboardApp","title":"Look at my dashboard"}}]}}},"copy_saved_objects_response4":{"summary":"Failed copy with missing reference errors","description":"The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API.\n","value":{"marketing":{"success":false,"successCount":2,"errors":[{"id":"my-vis","type":"visualization","title":"Look at my visualization","error":{"type":"missing_references","references":[{"type":"index-pattern","id":"my-pattern-*"}]},"meta":{"icon":"visualizeApp","title":"Look at my visualization"}}],"successResults":[{"id":"my-dashboard","type":"dashboard","meta":{"icon":"dashboardApp","title":"Look at my dashboard"}},{"id":"my-canvas","type":"canvas-workpad","meta":{"icon":"canvasApp","title":"Look at my canvas"}}]}}},"disable_legacy_url_request1":{"summary":"Disable legacy URL aliases","description":"This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL.\n","value":{"aliases":[{"targetSpace":"bills-space","targetType":"dashboard","sourceId":123}]}},"resolve_copy_saved_objects_request1":{"summary":"Resolve conflict errors","description":"Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly.\n","value":{"objects":[{"type":"dashboard","id":"my-dashboard"}],"includeReferences":true,"createNewCopies":false,"retries":{"sales":[{"type":"index-pattern","id":"my-pattern","overwrite":true},{"type":"visualization","id":"my-vis","overwrite":"true,","destinationId":"another-vis"},{"type":"canvas","id":"my-canvas","overwrite":true,"destinationId":"yet-another-canvas"},{"type":"dashboard","id":"my-dashboard"}]}}},"resolve_copy_saved_objects_request2":{"summary":"Resolve missing reference errors","description":"Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly.\n","value":{"objects":[{"type":"dashboard","id":"my-dashboard"}],"includeReferences":true,"createNewCopies":false,"retries":{"marketing":[{"type":"visualization","id":"my-vis","ignoreMissingReferences":true},{"type":"canvas","id":"my-canvas"},{"type":"dashboard","id":"my-dashboard"}]}}},"update_saved_objects_spaces_request1":{"summary":"Update saved object spaces","description":"Update the spaces of each saved object and all its references.","value":{"objects":[{"type":"index-pattern","id":"90943e30-9a47-11e8-b64d-95841ca0b247"}],"spacesToAdd":["test"],"spacesToRemove":[]}},"update_saved_objects_spaces_response1":{"summary":"Update saved object spaces","description":"The response from updating the spaces of saved objects.\n","value":{"objects":[{"type":"index-pattern","id":"90943e30-9a47-11e8-b64d-95841ca0b247","spaces":["default","test"]}]}},"get_spaces_response1":{"summary":"Get all spaces","description":"Get all spaces without specifying any options.","value":[{"id":"default","name":"Default","description":"This is the Default Space","disabledFeatures":[],"imageUrl":"","_reserved":true},{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"disabledFeatures":["apm"],"initials":"MK","imageUrl":"data:image/png;base64,iVBORw0KGgoAAAANSU"},{"id":"sales","name":"Sales","initials":"MK","disabledFeatures":["discover"],"imageUr\"":"","solution":"oblt"}]},"get_spaces_response2":{"summary":"Get all spaces with custom options","description":"The user has read-only access to the Sales space. Get all spaces with the following query parameters: \"purpose=shareSavedObjectsIntoSpace\u0026include_authorized_purposes=true\"\n","value":[{"id":"default","name":"Default","description":"This is the Default Space","disabledFeatures":[],"imageUrl":"","_reserved":true,"authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":true,"findSavedObjects":true,"shareSavedObjectsIntoSpace":true}},{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"disabledFeatures":["apm"],"initials":"MK","imageUrl":"data:image/png;base64,iVBORw0KGgoAAAANSU","authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":true,"findSavedObjects":true,"shareSavedObjectsIntoSpace":true}},{"id":"sales","name":"Sales","initials":"MK","disabledFeatures":["discover"],"imageUrl":"","authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":false,"findSavedObjects":true,"shareSavedObjectsIntoSpace":false}}]},"create_space_request":{"summary":"Create a marketing space","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg=="}},"get_space_response":{"summary":"Get details about a marketing space","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":"","solution":"es"}},"update_space_request":{"summary":"Update a marketing space","description":"Update the marketing space to remove the imageUrl.","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":""}}},"parameters":{"APM_UI_elastic_api_version":{"description":"The version of the API to use","in":"header","name":"elastic-api-version","required":true,"schema":{"default":"2023-10-31","enum":["2023-10-31"],"type":"string"}},"APM_UI_kbn_xsrf":{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},"Cases_alert_id":{"description":"An identifier for the alert.","in":"path","name":"alertId","required":true,"schema":{"example":"09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540","type":"string"}},"Cases_assignees_filter":{"description":"Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.\n","in":"query","name":"assignees","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_string"},{"$ref":"#/components/schemas/Cases_string_array"}]}},"Cases_case_id":{"description":"The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded.","in":"path","name":"caseId","required":true,"schema":{"example":"9c235210-6834-11ea-a78c-6ffb38a34414","type":"string"}},"Cases_category":{"description":"Filters the returned cases by category.","in":"query","name":"category","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_case_category"},{"$ref":"#/components/schemas/Cases_case_categories"}]}},"Cases_comment_id":{"description":"The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs.\n","in":"path","name":"commentId","required":true,"schema":{"example":"71ec1870-725b-11ea-a0b2-c51ea50a58e2","type":"string"}},"Cases_configuration_id":{"description":"An identifier for the configuration.","in":"path","name":"configurationId","required":true,"schema":{"example":"3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9","type":"string"}},"Cases_connector_id":{"description":"An identifier for the connector. To retrieve connector IDs, use the find connectors API.","in":"path","name":"connectorId","required":true,"schema":{"example":"abed3a70-71bd-11ea-a0b2-c51ea50a58e2","type":"string"}},"Cases_defaultSearchOperator":{"description":"he default operator to use for the simple_query_string.","example":"OR","in":"query","name":"defaultSearchOperator","schema":{"default":"OR","type":"string"}},"Cases_from":{"description":"Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.\n","in":"query","name":"from","schema":{"example":"now-1d","type":"string"}},"Cases_ids":{"description":"The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=[\"e58e77e3-ef8e-4251-926f-efb115f3c4ec\"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D`\n","in":"query","name":"ids","required":true,"schema":{"items":{"example":"d4e7abb0-b462-11ec-9a8d-698504725a43","maxItems":100,"minItems":1,"type":"string"},"type":"array"}},"Cases_includeComments":{"deprecated":true,"description":"Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned.","in":"query","name":"includeComments","schema":{"default":true,"type":"boolean"}},"Cases_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"Cases_owner_filter":{"description":"A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.\n","example":"cases","in":"query","name":"owner","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_owner"},{"$ref":"#/components/schemas/Cases_owners"}]}},"Cases_page_index":{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"type":"integer"}},"Cases_page_size":{"description":"The number of items to return. Limited to 100 items.","in":"query","name":"perPage","required":false,"schema":{"default":20,"maximum":100,"type":"integer"}},"Cases_reporters":{"description":"Filters the returned cases by the user name of the reporter.","example":"elastic","in":"query","name":"reporters","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_string"},{"$ref":"#/components/schemas/Cases_string_array"}]}},"Cases_search":{"description":"An Elasticsearch simple_query_string query that filters the objects in the response.","in":"query","name":"search","schema":{"type":"string"}},"Cases_searchFields":{"description":"The fields to perform the simple_query_string parsed query against.","in":"query","name":"searchFields","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_searchFieldsType"},{"$ref":"#/components/schemas/Cases_searchFieldsTypeArray"}]}},"Cases_severity":{"description":"The severity of the case.","in":"query","name":"severity","schema":{"enum":["critical","high","low","medium"],"type":"string"}},"Cases_sort_order":{"description":"Determines the sort order.","in":"query","name":"sortOrder","required":false,"schema":{"default":"desc","enum":["asc","desc"],"type":"string"}},"Cases_sortField":{"description":"Determines which field is used to sort the results.","example":"updatedAt","in":"query","name":"sortField","schema":{"default":"createdAt","enum":["createdAt","updatedAt","closedAt","title","category","status","severity"],"type":"string"}},"Cases_status":{"description":"Filters the returned cases by state.","example":"open","in":"query","name":"status","schema":{"enum":["closed","in-progress","open"],"type":"string"}},"Cases_tags":{"description":"Filters the returned cases by tags.","example":"tag-1","in":"query","name":"tags","schema":{"oneOf":[{"$ref":"#/components/schemas/Cases_string"},{"$ref":"#/components/schemas/Cases_string_array"}]}},"Cases_to":{"description":"Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.\n","example":"now+1d","in":"query","name":"to","schema":{"type":"string"}},"Cases_user_action_types":{"description":"Determines the types of user actions to return.","in":"query","name":"types","schema":{"items":{"enum":["action","alert","assignees","attachment","comment","connector","create_case","description","pushed","settings","severity","status","tags","title","user"],"example":"create_case","type":"string"},"type":"array"}},"Data_views_field_name":{"description":"The name of the runtime field.","in":"path","name":"fieldName","required":true,"schema":{"example":"hour_of_day","type":"string"}},"Data_views_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"Data_views_view_id":{"description":"An identifier for the data view.","in":"path","name":"viewId","required":true,"schema":{"example":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","type":"string"}},"Machine_learning_APIs_simulateParam":{"description":"When true, simulates the synchronization by returning only the list of actions that would be performed.","example":"true","in":"query","name":"simulate","required":false,"schema":{"type":"boolean"}},"Saved_objects_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"Saved_objects_saved_object_id":{"description":"An identifier for the saved object.","in":"path","name":"id","required":true,"schema":{"type":"string"}},"Saved_objects_saved_object_type":{"description":"Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`.","in":"path","name":"type","required":true,"schema":{"type":"string"}},"Short_URL_APIs_idParam":{"description":"The identifier for the short URL.","in":"path","name":"id","required":true,"schema":{"type":"string"}},"SLOs_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"SLOs_slo_id":{"description":"An identifier for the slo.","in":"path","name":"sloId","required":true,"schema":{"example":"9c235211-6834-11ea-a78c-6feb38a34414","type":"string"}},"SLOs_space_id":{"description":"An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used.","in":"path","name":"spaceId","required":true,"schema":{"example":"default","type":"string"}}},"schemas":{"Alerting_401_response":{"properties":{"error":{"enum":["Unauthorized"],"example":"Unauthorized","type":"string"},"message":{"type":"string"},"statusCode":{"enum":[401],"example":401,"type":"integer"}},"title":"Unsuccessful rule API response","type":"object"},"Alerting_fieldmap_properties":{"title":"Field map objects in the get rule types response","type":"object","properties":{"array":{"description":"Indicates whether the field is an array.","type":"boolean"},"dynamic":{"description":"Indicates whether it is a dynamic field mapping.","type":"boolean"},"format":{"description":"Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`.\n","type":"string"},"ignore_above":{"description":"Specifies the maximum length of a string field. Longer strings are not indexed or stored.","type":"integer"},"index":{"description":"Indicates whether field values are indexed.","type":"boolean"},"path":{"description":"TBD","type":"string"},"properties":{"additionalProperties":{"type":"object","properties":{"type":{"description":"The data type for each object property.","type":"string"}}},"description":"Details about the object properties. This property is applicable when `type` is `object`.\n","type":"object"},"required":{"description":"Indicates whether the field is required.","type":"boolean"},"scaling_factor":{"description":"The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. \n","type":"integer"},"type":{"description":"Specifies the data type for the field.","example":"scaled_float","type":"string"}}},"APM_UI_400_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Found","type":"string"},"message":{"description":"Error message","example":"Not Found","type":"string"},"statusCode":{"description":"Error status code","example":400,"type":"number"}}},"APM_UI_401_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Unauthorized","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":401,"type":"number"}}},"APM_UI_403_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Forbidden","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":403,"type":"number"}}},"APM_UI_404_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Found","type":"string"},"message":{"description":"Error message","example":"Not Found","type":"string"},"statusCode":{"description":"Error status code","example":404,"type":"number"}}},"APM_UI_500_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Internal Server Error","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":500,"type":"number"}}},"APM_UI_501_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Implemented","type":"string"},"message":{"description":"Error message","example":"Not Implemented","type":"string"},"statusCode":{"description":"Error status code","example":501,"type":"number"}}},"APM_UI_agent_configuration_intake_object":{"type":"object","properties":{"agent_name":{"description":"The agent name is used by the UI to determine which settings to display.","type":"string"},"service":{"$ref":"#/components/schemas/APM_UI_service_object"},"settings":{"$ref":"#/components/schemas/APM_UI_settings_object"}},"required":["service","settings"]},"APM_UI_agent_configuration_object":{"description":"Agent configuration","type":"object","properties":{"@timestamp":{"description":"Timestamp","example":1730194190636,"type":"number"},"agent_name":{"description":"Agent name","type":"string"},"applied_by_agent":{"description":"Applied by agent","example":true,"type":"boolean"},"etag":{"description":"`etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`.\n","example":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","type":"string"},"service":{"$ref":"#/components/schemas/APM_UI_service_object"},"settings":{"$ref":"#/components/schemas/APM_UI_settings_object"}},"required":["service","settings","@timestamp","etag"]},"APM_UI_agent_configurations_response":{"type":"object","properties":{"configurations":{"description":"Agent configuration","items":{"$ref":"#/components/schemas/APM_UI_agent_configuration_object"},"type":"array"}}},"APM_UI_agent_keys_object":{"type":"object","properties":{"name":{"description":"The name of the APM agent key.","type":"string"},"privileges":{"description":"The APM agent key privileges. It can take one or more of the following values:\n* `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely.\n","items":{"enum":["event:write","config_agent:read"],"type":"string"},"type":"array"}},"required":["name","privileges"]},"APM_UI_agent_keys_response":{"type":"object","properties":{"agentKey":{"description":"Agent key","type":"object","properties":{"api_key":{"type":"string"},"encoded":{"type":"string"},"expiration":{"format":"int64","type":"integer"},"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name","api_key","encoded"]}}},"APM_UI_annotation_search_response":{"type":"object","properties":{"annotations":{"description":"Annotations","items":{"type":"object","properties":{"@timestamp":{"type":"number"},"id":{"type":"string"},"text":{"type":"string"},"type":{"enum":["version"],"type":"string"}}},"type":"array"}}},"APM_UI_base_source_map_object":{"type":"object","properties":{"compressionAlgorithm":{"description":"Compression Algorithm","type":"string"},"created":{"description":"Created date","type":"string"},"decodedSha256":{"description":"Decoded SHA-256","type":"string"},"decodedSize":{"description":"Decoded size","type":"number"},"encodedSha256":{"description":"Encoded SHA-256","type":"string"},"encodedSize":{"description":"Encoded size","type":"number"},"encryptionAlgorithm":{"description":"Encryption Algorithm","type":"string"},"id":{"description":"Identifier","type":"string"},"identifier":{"description":"Identifier","type":"string"},"packageName":{"description":"Package name","type":"string"},"relative_url":{"description":"Relative URL","type":"string"},"type":{"description":"Type","type":"string"}}},"APM_UI_create_annotation_object":{"type":"object","properties":{"@timestamp":{"description":"The date and time of the annotation. It must be in ISO 8601 format.","type":"string"},"message":{"description":"The message displayed in the annotation. It defaults to `service.version`.","type":"string"},"service":{"description":"The service that identifies the configuration to create or update.","type":"object","properties":{"environment":{"description":"The environment of the service.","type":"string"},"version":{"description":"The version of the service.","type":"string"}},"required":["version"]},"tags":{"description":"Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag.\n","items":{"type":"string"},"type":"array"}},"required":["@timestamp","service"]},"APM_UI_create_annotation_response":{"type":"object","properties":{"_id":{"description":"Identifier","type":"string"},"_index":{"description":"Index","type":"string"},"_source":{"description":"Response","type":"object","properties":{"@timestamp":{"type":"string"},"annotation":{"type":"object","properties":{"title":{"type":"string"},"type":{"type":"string"}}},"event":{"type":"object","properties":{"created":{"type":"string"}}},"message":{"type":"string"},"service":{"type":"object","properties":{"environment":{"type":"string"},"name":{"type":"string"},"version":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}}}},"APM_UI_delete_agent_configurations_response":{"type":"object","properties":{"result":{"description":"Result","type":"string"}}},"APM_UI_delete_service_object":{"description":"Service","type":"object","properties":{"service":{"$ref":"#/components/schemas/APM_UI_service_object"}},"required":["service"]},"APM_UI_search_agent_configuration_object":{"type":"object","properties":{"etag":{"description":"If etags match then `applied_by_agent` field will be set to `true`","example":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","type":"string"},"mark_as_applied_by_agent":{"description":"`markAsAppliedByAgent=true` means \"force setting it to true regardless of etag\".\nThis is needed for Jaeger agent that doesn't have etags\n","type":"boolean"},"service":{"$ref":"#/components/schemas/APM_UI_service_object"}},"required":["service"]},"APM_UI_search_agent_configuration_response":{"type":"object","properties":{"_id":{"description":"Identifier","type":"string"},"_index":{"description":"Index","type":"string"},"_score":{"description":"Score","type":"number"},"_source":{"$ref":"#/components/schemas/APM_UI_agent_configuration_object"}}},"APM_UI_service_agent_name_response":{"type":"object","properties":{"agentName":{"description":"Agent name","example":"nodejs","type":"string"}}},"APM_UI_service_environment_object":{"type":"object","properties":{"alreadyConfigured":{"description":"Already configured","type":"boolean"},"name":{"description":"Service environment name","example":"ALL_OPTION_VALUE","type":"string"}}},"APM_UI_service_environments_response":{"type":"object","properties":{"environments":{"description":"Service environment list","items":{"$ref":"#/components/schemas/APM_UI_service_environment_object"},"type":"array"}}},"APM_UI_service_object":{"description":"Service","type":"object","properties":{"environment":{"description":"The environment of the service.","example":"prod","type":"string"},"name":{"description":"The name of the service.","example":"node","type":"string"}}},"APM_UI_settings_object":{"additionalProperties":{"type":"string"},"description":"Agent configuration settings","type":"object"},"APM_UI_single_agent_configuration_response":{"allOf":[{"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"$ref":"#/components/schemas/APM_UI_agent_configuration_object"}]},"APM_UI_source_maps_response":{"type":"object","properties":{"artifacts":{"description":"Artifacts","items":{"allOf":[{"type":"object","properties":{"body":{"type":"object","properties":{"bundleFilepath":{"type":"string"},"serviceName":{"type":"string"},"serviceVersion":{"type":"string"},"sourceMap":{"type":"object","properties":{"file":{"type":"string"},"mappings":{"type":"string"},"sourceRoot":{"type":"string"},"sources":{"items":{"type":"string"},"type":"array"},"sourcesContent":{"items":{"type":"string"},"type":"array"},"version":{"type":"number"}}}}}}},{"$ref":"#/components/schemas/APM_UI_base_source_map_object"}]},"type":"array"}}},"APM_UI_upload_source_map_object":{"type":"object","properties":{"bundle_filepath":{"description":"The absolute path of the final bundle as used in the web application.","type":"string"},"service_name":{"description":"The name of the service that the service map should apply to.","type":"string"},"service_version":{"description":"The version of the service that the service map should apply to.","type":"string"},"sourcemap":{"description":"The source map. It can be a string or file upload. It must follow the\n[source map format specification](https://tc39.es/ecma426/).\n","format":"binary","type":"string"}},"required":["service_name","service_version","bundle_filepath","sourcemap"]},"APM_UI_upload_source_maps_response":{"allOf":[{"type":"object","properties":{"body":{"type":"string"}}},{"$ref":"#/components/schemas/APM_UI_base_source_map_object"}]},"Cases_4xx_response":{"properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"type":"string"},"statusCode":{"example":401,"type":"integer"}},"title":"Unsuccessful cases API response","type":"object"},"Cases_actions":{"enum":["add","create","delete","push_to_service","update"],"example":"create","type":"string"},"Cases_add_alert_comment_request_properties":{"description":"Defines properties for case comment requests when type is alert.","type":"object","properties":{"alertId":{"$ref":"#/components/schemas/Cases_alert_identifiers"},"index":{"$ref":"#/components/schemas/Cases_alert_indices"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"rule":{"$ref":"#/components/schemas/Cases_rule"},"type":{"description":"The type of comment.","enum":["alert"],"example":"alert","type":"string"}},"required":["alertId","index","owner","rule","type"],"title":"Add case comment request properties for alerts"},"Cases_add_case_comment_request":{"description":"The add comment to case API request body varies depending on whether you are adding an alert or a comment.","discriminator":{"mapping":{"alert":"#/components/schemas/Cases_add_alert_comment_request_properties","user":"#/components/schemas/Cases_add_user_comment_request_properties"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Cases_add_alert_comment_request_properties"},{"$ref":"#/components/schemas/Cases_add_user_comment_request_properties"}],"title":"Add case comment request"},"Cases_add_case_file_request":{"description":"Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined.","type":"object","properties":{"file":{"description":"The file being attached to the case.","format":"binary","type":"string"},"filename":{"description":"The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.**","type":"string"}},"required":["file"],"title":"Add case file request properties"},"Cases_add_user_comment_request_properties":{"description":"Defines properties for case comment requests when type is user.","properties":{"comment":{"description":"The new comment. It is required only when `type` is `user`.","example":"A new comment.","maxLength":30000,"type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"type":{"description":"The type of comment.","enum":["user"],"example":"user","type":"string"}},"required":["comment","owner","type"],"title":"Add case comment request properties for user comments","type":"object"},"Cases_alert_comment_response_properties":{"title":"Add case comment response properties for alerts","type":"object","properties":{"alertId":{"items":{"example":"a6e12ac4-7bce-457b-84f6-d7ce8deb8446","type":"string"},"type":"array"},"created_at":{"example":"2023-11-06T19:29:38.424Z","format":"date-time","type":"string"},"created_by":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"id":{"example":"73362370-ab1a-11ec-985f-97e55adae8b9","type":"string"},"index":{"items":{"example":".internal.alerts-security.alerts-default-000001","type":"string"},"type":"array"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"pushed_at":{"example":null,"format":"date-time","nullable":true,"type":"string"},"pushed_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"rule":{"type":"object","properties":{"id":{"description":"The rule identifier.","example":"94d80550-aaf4-11ec-985f-97e55adae8b9","type":"string"},"name":{"description":"The rule name.","example":"security_rule","type":"string"}}},"type":{"enum":["alert"],"example":"alert","type":"string"},"updated_at":{"format":"date-time","nullable":true,"type":"string"},"updated_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"version":{"example":"WzMwNDgsMV0=","type":"string"}},"required":["type"]},"Cases_alert_identifiers":{"description":"The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","example":"6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42","oneOf":[{"type":"string"},{"items":{"type":"string"},"maxItems":1000,"type":"array"}],"title":"Alert identifiers","x-state":"Technical preview"},"Cases_alert_indices":{"description":"The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array.  This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","oneOf":[{"type":"string"},{"items":{"type":"string"},"maxItems":1000,"type":"array"}],"title":"Alert indices","x-state":"Technical preview"},"Cases_alert_response_properties":{"type":"object","properties":{"attached_at":{"format":"date-time","type":"string"},"id":{"description":"The alert identifier.","type":"string"},"index":{"description":"The alert index.","type":"string"}}},"Cases_assignees":{"description":"An array containing users that are assigned to the case.","items":{"type":"object","properties":{"uid":{"description":"A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.","example":"u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0","type":"string"}},"required":["uid"]},"maxItems":10,"nullable":true,"type":"array"},"Cases_case_categories":{"items":{"$ref":"#/components/schemas/Cases_case_category"},"maxItems":100,"type":"array"},"Cases_case_category":{"description":"A word or phrase that categorizes the case.","maxLength":50,"type":"string"},"Cases_case_description":{"description":"The description for the case.","maxLength":30000,"type":"string"},"Cases_case_response_closed_by_properties":{"nullable":true,"properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"],"title":"Case response properties for closed_by","type":"object"},"Cases_case_response_created_by_properties":{"title":"Case response properties for created_by","type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"Cases_case_response_properties":{"title":"Case response properties","type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"},"category":{"description":"The case category.","nullable":true,"type":"string"},"closed_at":{"format":"date-time","nullable":true,"type":"string"},"closed_by":{"$ref":"#/components/schemas/Cases_case_response_closed_by_properties"},"comments":{"description":"An array of comment objects for the case.","items":{"discriminator":{"mapping":{"alert":"#/components/schemas/Cases_alert_comment_response_properties","user":"#/components/schemas/Cases_user_comment_response_properties"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Cases_alert_comment_response_properties"},{"$ref":"#/components/schemas/Cases_user_comment_response_properties"}]},"maxItems":10000,"title":"Case response properties for comments","type":"array"},"connector":{"discriminator":{"mapping":{".cases-webhook":"#/components/schemas/Cases_connector_properties_cases_webhook",".jira":"#/components/schemas/Cases_connector_properties_jira",".none":"#/components/schemas/Cases_connector_properties_none",".resilient":"#/components/schemas/Cases_connector_properties_resilient",".servicenow":"#/components/schemas/Cases_connector_properties_servicenow",".servicenow-sir":"#/components/schemas/Cases_connector_properties_servicenow_sir",".swimlane":"#/components/schemas/Cases_connector_properties_swimlane"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Cases_connector_properties_none"},{"$ref":"#/components/schemas/Cases_connector_properties_cases_webhook"},{"$ref":"#/components/schemas/Cases_connector_properties_jira"},{"$ref":"#/components/schemas/Cases_connector_properties_resilient"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow_sir"},{"$ref":"#/components/schemas/Cases_connector_properties_swimlane"}],"title":"Case response properties for connectors"},"created_at":{"example":"2022-05-13T09:16:17.416Z","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Cases_case_response_created_by_properties"},"customFields":{"description":"Custom field values for the case.","items":{"type":"object","properties":{"key":{"description":"The unique identifier for the custom field. The key value must exist in the case configuration settings.\n","type":"string"},"type":{"description":"The custom field type. It must match the type specified in the case configuration settings.\n","enum":["text","toggle"],"type":"string"},"value":{"description":"The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.\n","oneOf":[{"maxLength":160,"minLength":1,"nullable":true,"type":"string"},{"type":"boolean"}]}}},"type":"array"},"description":{"example":"A case description.","type":"string"},"duration":{"description":"The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.\n","example":120,"nullable":true,"type":"integer"},"external_service":{"$ref":"#/components/schemas/Cases_external_service"},"id":{"example":"66b9aa00-94fa-11ea-9f74-e7e108796192","type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"settings":{"$ref":"#/components/schemas/Cases_settings"},"severity":{"$ref":"#/components/schemas/Cases_case_severity"},"status":{"$ref":"#/components/schemas/Cases_case_status"},"tags":{"example":["tag-1"],"items":{"type":"string"},"type":"array"},"title":{"example":"Case title 1","type":"string"},"totalAlerts":{"example":0,"type":"integer"},"totalComment":{"example":0,"type":"integer"},"updated_at":{"format":"date-time","nullable":true,"type":"string"},"updated_by":{"$ref":"#/components/schemas/Cases_case_response_updated_by_properties"},"version":{"example":"WzUzMiwxXQ==","type":"string"}},"required":["closed_at","closed_by","comments","connector","created_at","created_by","description","duration","external_service","id","owner","settings","severity","status","tags","title","totalAlerts","totalComment","updated_at","updated_by","version"]},"Cases_case_response_pushed_by_properties":{"nullable":true,"properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"],"title":"Case response properties for pushed_by","type":"object"},"Cases_case_response_updated_by_properties":{"nullable":true,"properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"],"title":"Case response properties for updated_by","type":"object"},"Cases_case_severity":{"default":"low","description":"The severity of the case.","enum":["critical","high","low","medium"],"type":"string"},"Cases_case_status":{"description":"The status of the case.","enum":["closed","in-progress","open"],"type":"string"},"Cases_case_tags":{"description":"The words and phrases that help categorize cases. It can be an empty array.\n","items":{"maxLength":256,"type":"string"},"maxItems":200,"type":"array"},"Cases_case_title":{"description":"A title for the case.","maxLength":160,"type":"string"},"Cases_closure_types":{"description":"Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`).","enum":["close-by-pushing","close-by-user"],"example":"close-by-user","type":"string"},"Cases_connector_properties_cases_webhook":{"description":"Defines properties for connectors when type is `.cases-webhook`.","type":"object","properties":{"fields":{"example":null,"nullable":true,"type":"string"},"id":{"description":"The identifier for the connector. To retrieve connector IDs, use the find connectors API.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".cases-webhook"],"example":".cases-webhook","type":"string"}},"required":["fields","id","name","type"],"title":"Create or upate case request properties for Cases Webhook connector"},"Cases_connector_properties_jira":{"description":"Defines properties for connectors when type is `.jira`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. If you want to omit any individual field, specify null as its value.","type":"object","properties":{"issueType":{"description":"The type of issue.","nullable":true,"type":"string"},"parent":{"description":"The key of the parent issue, when the issue type is sub-task.","nullable":true,"type":"string"},"priority":{"description":"The priority of the issue.","nullable":true,"type":"string"}},"required":["issueType","parent","priority"]},"id":{"description":"The identifier for the connector. To retrieve connector IDs, use the find connectors API.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".jira"],"example":".jira","type":"string"}},"required":["fields","id","name","type"],"title":"Create or update case request properties for a Jira connector"},"Cases_connector_properties_none":{"description":"Defines properties for connectors when type is `.none`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.","example":null,"nullable":true,"type":"string"},"id":{"description":"The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`.","example":"none","type":"string"},"name":{"description":"The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`.","example":"none","type":"string"},"type":{"description":"The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`.","enum":[".none"],"example":".none","type":"string"}},"required":["fields","id","name","type"],"title":"Create or update case request properties for no connector"},"Cases_connector_properties_resilient":{"description":"Defines properties for connectors when type is `.resilient`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. If you want to omit any individual field, specify null as its value.","nullable":true,"type":"object","properties":{"issueTypes":{"description":"The type of incident.","items":{"type":"string"},"type":"array"},"severityCode":{"description":"The severity code of the incident.","type":"string"}},"required":["issueTypes","severityCode"]},"id":{"description":"The identifier for the connector.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".resilient"],"example":".resilient","type":"string"}},"required":["fields","id","name","type"],"title":"Create case request properties for a IBM Resilient connector"},"Cases_connector_properties_servicenow":{"description":"Defines properties for connectors when type is `.servicenow`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. If you want to omit any individual field, specify null as its value.","type":"object","properties":{"category":{"description":"The category of the incident.","nullable":true,"type":"string"},"impact":{"description":"The effect an incident had on business.","nullable":true,"type":"string"},"severity":{"description":"The severity of the incident.","nullable":true,"type":"string"},"subcategory":{"description":"The subcategory of the incident.","nullable":true,"type":"string"},"urgency":{"description":"The extent to which the incident resolution can be delayed.","nullable":true,"type":"string"}},"required":["category","impact","severity","subcategory","urgency"]},"id":{"description":"The identifier for the connector. To retrieve connector IDs, use the find connectors API.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".servicenow"],"example":".servicenow","type":"string"}},"required":["fields","id","name","type"],"title":"Create case request properties for a ServiceNow ITSM connector"},"Cases_connector_properties_servicenow_sir":{"description":"Defines properties for connectors when type is `.servicenow-sir`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. If you want to omit any individual field, specify null as its value.","type":"object","properties":{"category":{"description":"The category of the incident.","nullable":true,"type":"string"},"destIp":{"description":"Indicates whether cases will send a comma-separated list of destination IPs.","nullable":true,"type":"boolean"},"malwareHash":{"description":"Indicates whether cases will send a comma-separated list of malware hashes.","nullable":true,"type":"boolean"},"malwareUrl":{"description":"Indicates whether cases will send a comma-separated list of malware URLs.","nullable":true,"type":"boolean"},"priority":{"description":"The priority of the issue.","nullable":true,"type":"string"},"sourceIp":{"description":"Indicates whether cases will send a comma-separated list of source IPs.","nullable":true,"type":"boolean"},"subcategory":{"description":"The subcategory of the incident.","nullable":true,"type":"string"}},"required":["category","destIp","malwareHash","malwareUrl","priority","sourceIp","subcategory"]},"id":{"description":"The identifier for the connector. To retrieve connector IDs, use the find connectors API.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".servicenow-sir"],"example":".servicenow-sir","type":"string"}},"required":["fields","id","name","type"],"title":"Create case request properties for a ServiceNow SecOps connector"},"Cases_connector_properties_swimlane":{"description":"Defines properties for connectors when type is `.swimlane`.","type":"object","properties":{"fields":{"description":"An object containing the connector fields. If you want to omit any individual field, specify null as its value.","type":"object","properties":{"caseId":{"description":"The case identifier for Swimlane connectors.","nullable":true,"type":"string"}},"required":["caseId"]},"id":{"description":"The identifier for the connector. To retrieve connector IDs, use the find connectors API.","type":"string"},"name":{"description":"The name of the connector.","type":"string"},"type":{"description":"The type of connector.","enum":[".swimlane"],"example":".swimlane","type":"string"}},"required":["fields","id","name","type"],"title":"Create case request properties for a Swimlane connector"},"Cases_connector_types":{"description":"The type of connector.","enum":[".cases-webhook",".jira",".none",".resilient",".servicenow",".servicenow-sir",".swimlane"],"example":".none","type":"string"},"Cases_create_case_request":{"description":"The create case API request body varies depending on the type of connector.","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"},"category":{"$ref":"#/components/schemas/Cases_case_category"},"connector":{"oneOf":[{"$ref":"#/components/schemas/Cases_connector_properties_none"},{"$ref":"#/components/schemas/Cases_connector_properties_cases_webhook"},{"$ref":"#/components/schemas/Cases_connector_properties_jira"},{"$ref":"#/components/schemas/Cases_connector_properties_resilient"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow_sir"},{"$ref":"#/components/schemas/Cases_connector_properties_swimlane"}]},"customFields":{"description":"Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.\n","items":{"type":"object","properties":{"key":{"description":"The unique identifier for the custom field. The key value must exist in the case configuration settings.\n","type":"string"},"type":{"description":"The custom field type. It must match the type specified in the case configuration settings.\n","enum":["text","toggle"],"type":"string"},"value":{"description":"The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.\n","oneOf":[{"maxLength":160,"minLength":1,"nullable":true,"type":"string"},{"type":"boolean"}]}},"required":["key","type","value"]},"maxItems":10,"minItems":0,"type":"array"},"description":{"$ref":"#/components/schemas/Cases_case_description"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"settings":{"$ref":"#/components/schemas/Cases_settings"},"severity":{"$ref":"#/components/schemas/Cases_case_severity"},"tags":{"$ref":"#/components/schemas/Cases_case_tags"},"title":{"$ref":"#/components/schemas/Cases_case_title"}},"required":["connector","description","owner","settings","tags","title"],"title":"Create case request","type":"object"},"Cases_external_service":{"nullable":true,"type":"object","properties":{"connector_id":{"type":"string"},"connector_name":{"type":"string"},"external_id":{"type":"string"},"external_title":{"type":"string"},"external_url":{"type":"string"},"pushed_at":{"format":"date-time","type":"string"},"pushed_by":{"nullable":true,"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}}}}},"Cases_owner":{"description":"The application that owns the cases: Stack Management, Observability, or Elastic Security.\n","enum":["cases","observability","securitySolution"],"example":"cases","type":"string"},"Cases_owners":{"items":{"$ref":"#/components/schemas/Cases_owner"},"type":"array"},"Cases_payload_alert_comment":{"type":"object","properties":{"comment":{"type":"object","properties":{"alertId":{"oneOf":[{"example":"1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d","type":"string"},{"items":{"type":"string"},"type":"array"}]},"index":{"oneOf":[{"example":".alerts-observability.logs.alerts-default","type":"string"},{"items":{"type":"string"},"type":"array"}]},"owner":{"$ref":"#/components/schemas/Cases_owner"},"rule":{"type":"object","properties":{"id":{"description":"The rule identifier.","example":"94d80550-aaf4-11ec-985f-97e55adae8b9","type":"string"},"name":{"description":"The rule name.","example":"security_rule","type":"string"}}},"type":{"enum":["alert"],"type":"string"}}}}},"Cases_payload_assignees":{"type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"}}},"Cases_payload_connector":{"type":"object","properties":{"connector":{"type":"object","properties":{"fields":{"description":"An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.","example":null,"nullable":true,"type":"object","properties":{"caseId":{"description":"The case identifier for Swimlane connectors.","type":"string"},"category":{"description":"The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.","type":"string"},"destIp":{"description":"Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"impact":{"description":"The effect an incident had on business for ServiceNow ITSM connectors.","type":"string"},"issueType":{"description":"The type of issue for Jira connectors.","type":"string"},"issueTypes":{"description":"The type of incident for IBM Resilient connectors.","items":{"type":"string"},"type":"array"},"malwareHash":{"description":"Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"malwareUrl":{"description":"Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"parent":{"description":"The key of the parent issue, when the issue type is sub-task for Jira connectors.","type":"string"},"priority":{"description":"The priority of the issue for Jira and ServiceNow SecOps connectors.","type":"string"},"severity":{"description":"The severity of the incident for ServiceNow ITSM connectors.","type":"string"},"severityCode":{"description":"The severity code of the incident for IBM Resilient connectors.","type":"string"},"sourceIp":{"description":"Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"subcategory":{"description":"The subcategory of the incident for ServiceNow ITSM connectors.","type":"string"},"urgency":{"description":"The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.","type":"string"}}},"id":{"description":"The identifier for the connector. To create a case without a connector, use `none`.","example":"none","type":"string"},"name":{"description":"The name of the connector. To create a case without a connector, use `none`.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}}}},"Cases_payload_create_case":{"type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"},"connector":{"type":"object","properties":{"fields":{"description":"An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.","example":null,"nullable":true,"type":"object","properties":{"caseId":{"description":"The case identifier for Swimlane connectors.","type":"string"},"category":{"description":"The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.","type":"string"},"destIp":{"description":"Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"impact":{"description":"The effect an incident had on business for ServiceNow ITSM connectors.","type":"string"},"issueType":{"description":"The type of issue for Jira connectors.","type":"string"},"issueTypes":{"description":"The type of incident for IBM Resilient connectors.","items":{"type":"string"},"type":"array"},"malwareHash":{"description":"Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"malwareUrl":{"description":"Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"parent":{"description":"The key of the parent issue, when the issue type is sub-task for Jira connectors.","type":"string"},"priority":{"description":"The priority of the issue for Jira and ServiceNow SecOps connectors.","type":"string"},"severity":{"description":"The severity of the incident for ServiceNow ITSM connectors.","type":"string"},"severityCode":{"description":"The severity code of the incident for IBM Resilient connectors.","type":"string"},"sourceIp":{"description":"Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.","nullable":true,"type":"boolean"},"subcategory":{"description":"The subcategory of the incident for ServiceNow ITSM connectors.","type":"string"},"urgency":{"description":"The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.","type":"string"}}},"id":{"description":"The identifier for the connector. To create a case without a connector, use `none`.","example":"none","type":"string"},"name":{"description":"The name of the connector. To create a case without a connector, use `none`.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}},"description":{"type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"settings":{"$ref":"#/components/schemas/Cases_settings"},"severity":{"$ref":"#/components/schemas/Cases_case_severity"},"status":{"$ref":"#/components/schemas/Cases_case_status"},"tags":{"example":["tag-1"],"items":{"type":"string"},"type":"array"},"title":{"type":"string"}}},"Cases_payload_delete":{"description":"If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable.","nullable":true,"type":"object"},"Cases_payload_description":{"type":"object","properties":{"description":{"type":"string"}}},"Cases_payload_pushed":{"type":"object","properties":{"externalService":{"$ref":"#/components/schemas/Cases_external_service"}}},"Cases_payload_settings":{"type":"object","properties":{"settings":{"$ref":"#/components/schemas/Cases_settings"}}},"Cases_payload_severity":{"type":"object","properties":{"severity":{"$ref":"#/components/schemas/Cases_case_severity"}}},"Cases_payload_status":{"type":"object","properties":{"status":{"$ref":"#/components/schemas/Cases_case_status"}}},"Cases_payload_tags":{"type":"object","properties":{"tags":{"example":["tag-1"],"items":{"type":"string"},"type":"array"}}},"Cases_payload_title":{"type":"object","properties":{"title":{"type":"string"}}},"Cases_payload_user_comment":{"type":"object","properties":{"comment":{"type":"object","properties":{"comment":{"type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"type":{"enum":["user"],"type":"string"}}}}},"Cases_rule":{"description":"The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","title":"Alerting rule","type":"object","properties":{"id":{"description":"The rule identifier.","example":"94d80550-aaf4-11ec-985f-97e55adae8b9","type":"string"},"name":{"description":"The rule name.","example":"security_rule","type":"string"}},"x-state":"Technical preview"},"Cases_searchFieldsType":{"description":"The fields to perform the `simple_query_string` parsed query against.","enum":["description","title"],"type":"string"},"Cases_searchFieldsTypeArray":{"items":{"$ref":"#/components/schemas/Cases_searchFieldsType"},"type":"array"},"Cases_set_case_configuration_request":{"description":"External connection details, such as the closure type and default connector for cases.","properties":{"closure_type":{"$ref":"#/components/schemas/Cases_closure_types"},"connector":{"description":"An object that contains the connector configuration.","type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}},"required":["fields","id","name","type"]},"customFields":{"description":"Custom fields case configuration.","items":{"type":"object","properties":{"defaultValue":{"description":"A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]},"key":{"description":"A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.\n","maxLength":36,"minLength":1,"type":"string"},"label":{"description":"The custom field label that is displayed in the case.","maxLength":50,"minLength":1,"type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"required":{"description":"Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.\n","type":"boolean"}},"required":["key","label","required","type"]},"maxItems":10,"minItems":0,"type":"array"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"templates":{"$ref":"#/components/schemas/Cases_templates"}},"required":["closure_type","connector","owner"],"title":"Set case configuration request","type":"object"},"Cases_settings":{"description":"An object that contains the case settings.","type":"object","properties":{"syncAlerts":{"description":"Turns alert syncing on or off.","example":true,"type":"boolean"}},"required":["syncAlerts"]},"Cases_string":{"type":"string"},"Cases_string_array":{"items":{"$ref":"#/components/schemas/Cases_string"},"maxItems":100,"type":"array"},"Cases_template_tags":{"description":"The words and phrases that help categorize templates. It can be an empty array.\n","items":{"maxLength":256,"type":"string"},"maxItems":200,"type":"array"},"Cases_templates":{"items":{"type":"object","properties":{"caseFields":{"type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"},"category":{"$ref":"#/components/schemas/Cases_case_category"},"connector":{"type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}}},"customFields":{"description":"Custom field values in the template.","items":{"type":"object","properties":{"key":{"description":"The unique key for the custom field.","type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"value":{"description":"The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]}}},"type":"array","x-state":"Technical preview"},"description":{"$ref":"#/components/schemas/Cases_case_description"},"settings":{"$ref":"#/components/schemas/Cases_settings"},"severity":{"$ref":"#/components/schemas/Cases_case_severity"},"tags":{"$ref":"#/components/schemas/Cases_case_tags"},"title":{"$ref":"#/components/schemas/Cases_case_title"}}},"description":{"description":"A description for the template.","type":"string"},"key":{"description":"A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.\n","type":"string"},"name":{"description":"The name of the template.","type":"string"},"tags":{"$ref":"#/components/schemas/Cases_template_tags"}}},"type":"array","x-state":"Technical preview"},"Cases_update_alert_comment_request_properties":{"description":"Defines properties for case comment requests when type is alert.","type":"object","properties":{"alertId":{"$ref":"#/components/schemas/Cases_alert_identifiers"},"id":{"description":"The identifier for the comment. To retrieve comment IDs, use the get comments API.\n","example":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"string"},"index":{"$ref":"#/components/schemas/Cases_alert_indices"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"rule":{"$ref":"#/components/schemas/Cases_rule"},"type":{"description":"The type of comment.","enum":["alert"],"example":"alert","type":"string"},"version":{"description":"The current comment version. To retrieve version values, use the get comments API.\n","example":"Wzk1LDFd","type":"string"}},"required":["alertId","id","index","owner","rule","type","version"],"title":"Update case comment request properties for alerts"},"Cases_update_case_comment_request":{"description":"The update case comment API request body varies depending on whether you are updating an alert or a comment.","discriminator":{"mapping":{"alert":"#/components/schemas/Cases_update_alert_comment_request_properties","user":"#/components/schemas/Cases_update_user_comment_request_properties"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Cases_update_alert_comment_request_properties"},{"$ref":"#/components/schemas/Cases_update_user_comment_request_properties"}],"title":"Update case comment request"},"Cases_update_case_configuration_request":{"description":"You can update settings such as the closure type, custom fields, templates, and the default connector for cases.\n","properties":{"closure_type":{"$ref":"#/components/schemas/Cases_closure_types"},"connector":{"description":"An object that contains the connector configuration.","type":"object","properties":{"fields":{"description":"The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.","nullable":true,"type":"object"},"id":{"description":"The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.","example":"none","type":"string"},"name":{"description":"The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.","example":"none","type":"string"},"type":{"$ref":"#/components/schemas/Cases_connector_types"}},"required":["fields","id","name","type"]},"customFields":{"description":"Custom fields case configuration.","items":{"type":"object","properties":{"defaultValue":{"description":"A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.\n","oneOf":[{"type":"string"},{"type":"boolean"}]},"key":{"description":"A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.\n","maxLength":36,"minLength":1,"type":"string"},"label":{"description":"The custom field label that is displayed in the case.","maxLength":50,"minLength":1,"type":"string"},"type":{"description":"The type of the custom field.","enum":["text","toggle"],"type":"string"},"required":{"description":"Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.\n","type":"boolean"}},"required":["key","label","required","type"]},"type":"array"},"templates":{"$ref":"#/components/schemas/Cases_templates"},"version":{"description":"The version of the connector. To retrieve the version value, use the get configuration API.\n","example":"WzIwMiwxXQ==","type":"string"}},"required":["version"],"title":"Update case configuration request","type":"object"},"Cases_update_case_request":{"description":"The update case API request body varies depending on the type of connector.","properties":{"cases":{"description":"An array containing one or more case objects.","items":{"type":"object","properties":{"assignees":{"$ref":"#/components/schemas/Cases_assignees"},"category":{"$ref":"#/components/schemas/Cases_case_category"},"connector":{"oneOf":[{"$ref":"#/components/schemas/Cases_connector_properties_none"},{"$ref":"#/components/schemas/Cases_connector_properties_cases_webhook"},{"$ref":"#/components/schemas/Cases_connector_properties_jira"},{"$ref":"#/components/schemas/Cases_connector_properties_resilient"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow"},{"$ref":"#/components/schemas/Cases_connector_properties_servicenow_sir"},{"$ref":"#/components/schemas/Cases_connector_properties_swimlane"}]},"customFields":{"description":"Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.\n","items":{"type":"object","properties":{"key":{"description":"The unique identifier for the custom field. The key value must exist in the case configuration settings.\n","type":"string"},"type":{"description":"The custom field type. It must match the type specified in the case configuration settings.\n","enum":["text","toggle"],"type":"string"},"value":{"description":"The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.\n","oneOf":[{"maxLength":160,"minLength":1,"nullable":true,"type":"string"},{"type":"boolean"}]}},"required":["key","type","value"]},"maxItems":10,"minItems":0,"type":"array"},"description":{"$ref":"#/components/schemas/Cases_case_description"},"id":{"description":"The identifier for the case.","maxLength":30000,"type":"string"},"settings":{"$ref":"#/components/schemas/Cases_settings"},"severity":{"$ref":"#/components/schemas/Cases_case_severity"},"status":{"$ref":"#/components/schemas/Cases_case_status"},"tags":{"$ref":"#/components/schemas/Cases_case_tags"},"title":{"$ref":"#/components/schemas/Cases_case_title"},"version":{"description":"The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs.\n","type":"string"}},"required":["id","version"]},"maxItems":100,"minItems":1,"type":"array"}},"required":["cases"],"title":"Update case request","type":"object"},"Cases_update_user_comment_request_properties":{"description":"Defines properties for case comment requests when type is user.","properties":{"comment":{"description":"The new comment. It is required only when `type` is `user`.","example":"A new comment.","maxLength":30000,"type":"string"},"id":{"description":"The identifier for the comment. To retrieve comment IDs, use the get comments API.\n","example":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"type":{"description":"The type of comment.","enum":["user"],"example":"user","type":"string"},"version":{"description":"The current comment version. To retrieve version values, use the get comments API.\n","example":"Wzk1LDFd","type":"string"}},"required":["comment","id","owner","type","version"],"title":"Update case comment request properties for user comments","type":"object"},"Cases_user_actions_find_response_properties":{"type":"object","properties":{"action":{"$ref":"#/components/schemas/Cases_actions"},"comment_id":{"example":"578608d0-03b1-11ed-920c-974bfa104448","nullable":true,"type":"string"},"created_at":{"example":"2022-05-13T09:16:17.416Z","format":"date-time","type":"string"},"created_by":{"type":"object","properties":{"email":{"example":null,"nullable":true,"type":"string"},"full_name":{"example":null,"nullable":true,"type":"string"},"profile_uid":{"example":"u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0","type":"string"},"username":{"example":"elastic","nullable":true,"type":"string"}},"required":["email","full_name","username"]},"id":{"example":"22fd3e30-03b1-11ed-920c-974bfa104448","type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"payload":{"oneOf":[{"$ref":"#/components/schemas/Cases_payload_alert_comment"},{"$ref":"#/components/schemas/Cases_payload_assignees"},{"$ref":"#/components/schemas/Cases_payload_connector"},{"$ref":"#/components/schemas/Cases_payload_create_case"},{"$ref":"#/components/schemas/Cases_payload_delete"},{"$ref":"#/components/schemas/Cases_payload_description"},{"$ref":"#/components/schemas/Cases_payload_pushed"},{"$ref":"#/components/schemas/Cases_payload_settings"},{"$ref":"#/components/schemas/Cases_payload_severity"},{"$ref":"#/components/schemas/Cases_payload_status"},{"$ref":"#/components/schemas/Cases_payload_tags"},{"$ref":"#/components/schemas/Cases_payload_title"},{"$ref":"#/components/schemas/Cases_payload_user_comment"}]},"type":{"description":"The type of action.","enum":["assignees","create_case","comment","connector","description","pushed","tags","title","status","settings","severity"],"example":"create_case","type":"string"},"version":{"example":"WzM1ODg4LDFd","type":"string"}},"required":["action","comment_id","created_at","created_by","id","owner","payload","type","version"]},"Cases_user_comment_response_properties":{"title":"Case response properties for user comments","type":"object","properties":{"comment":{"example":"A new comment.","type":"string"},"created_at":{"example":"2022-05-13T09:16:17.416Z","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Cases_case_response_created_by_properties"},"id":{"example":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"string"},"owner":{"$ref":"#/components/schemas/Cases_owner"},"pushed_at":{"example":null,"format":"date-time","nullable":true,"type":"string"},"pushed_by":{"$ref":"#/components/schemas/Cases_case_response_pushed_by_properties"},"type":{"enum":["user"],"example":"user","type":"string"},"updated_at":{"example":null,"format":"date-time","nullable":true,"type":"string"},"updated_by":{"$ref":"#/components/schemas/Cases_case_response_updated_by_properties"},"version":{"example":"WzIwNDMxLDFd","type":"string"}},"required":["type"]},"Data_views_400_response":{"title":"Bad request","type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"type":"string"},"statusCode":{"example":400,"type":"number"}},"required":["statusCode","error","message"]},"Data_views_404_response":{"type":"object","properties":{"error":{"enum":["Not Found"],"example":"Not Found","type":"string"},"message":{"example":"Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found","type":"string"},"statusCode":{"enum":[404],"example":404,"type":"integer"}}},"Data_views_allownoindex":{"description":"Allows the data view saved object to exist before the data is available. Defaults to `false`.","type":"boolean"},"Data_views_create_data_view_request_object":{"title":"Create data view request","type":"object","properties":{"data_view":{"description":"The data view object.","type":"object","properties":{"allowNoIndex":{"$ref":"#/components/schemas/Data_views_allownoindex"},"fieldAttrs":{"additionalProperties":{"$ref":"#/components/schemas/Data_views_fieldattrs"},"type":"object"},"fieldFormats":{"$ref":"#/components/schemas/Data_views_fieldformats"},"fields":{"type":"object"},"id":{"type":"string"},"name":{"description":"The data view name.","type":"string"},"namespaces":{"$ref":"#/components/schemas/Data_views_namespaces"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#/components/schemas/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#/components/schemas/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#/components/schemas/Data_views_timefieldname"},"title":{"$ref":"#/components/schemas/Data_views_title"},"type":{"$ref":"#/components/schemas/Data_views_type"},"typeMeta":{"$ref":"#/components/schemas/Data_views_typemeta"},"version":{"type":"string"}},"required":["title"]},"override":{"default":false,"description":"Override an existing data view if a data view with the provided title already exists.","type":"boolean"}},"required":["data_view"]},"Data_views_data_view_response_object":{"title":"Data view response properties","type":"object","properties":{"data_view":{"type":"object","properties":{"allowNoIndex":{"$ref":"#/components/schemas/Data_views_allownoindex"},"fieldAttrs":{"additionalProperties":{"$ref":"#/components/schemas/Data_views_fieldattrs"},"type":"object"},"fieldFormats":{"$ref":"#/components/schemas/Data_views_fieldformats"},"fields":{"type":"object"},"id":{"example":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","type":"string"},"name":{"description":"The data view name.","type":"string"},"namespaces":{"$ref":"#/components/schemas/Data_views_namespaces"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#/components/schemas/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#/components/schemas/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#/components/schemas/Data_views_timefieldname"},"title":{"$ref":"#/components/schemas/Data_views_title"},"typeMeta":{"$ref":"#/components/schemas/Data_views_typemeta_response"},"version":{"example":"WzQ2LDJd","type":"string"}}}}},"Data_views_fieldattrs":{"description":"A map of field attributes by field name.","type":"object","properties":{"count":{"description":"Popularity count for the field.","type":"integer"},"customDescription":{"description":"Custom description for the field.","maxLength":300,"type":"string"},"customLabel":{"description":"Custom label for the field.","type":"string"}}},"Data_views_fieldformats":{"description":"A map of field formats by field name.","type":"object"},"Data_views_namespaces":{"description":"An array of space identifiers for sharing the data view between multiple spaces.","items":{"default":"default","type":"string"},"type":"array"},"Data_views_runtimefieldmap":{"description":"A map of runtime field definitions by field name.","type":"object","properties":{"script":{"type":"object","properties":{"source":{"description":"Script for the runtime field.","type":"string"}}},"type":{"description":"Mapping type of the runtime field.","type":"string"}},"required":["script","type"]},"Data_views_sourcefilters":{"description":"The array of field names you want to filter out in Discover.","items":{"type":"object","properties":{"value":{"type":"string"}},"required":["value"]},"type":"array"},"Data_views_swap_data_view_request_object":{"title":"Data view reference swap request","type":"object","properties":{"delete":{"description":"Deletes referenced saved object if all references are removed.","type":"boolean"},"forId":{"description":"Limit the affected saved objects to one or more by identifier.","oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"forType":{"description":"Limit the affected saved objects by type.","type":"string"},"fromId":{"description":"The saved object reference to change.","type":"string"},"fromType":{"description":"Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views.\n","type":"string"},"toId":{"description":"New saved object reference value to replace the old value.","type":"string"}},"required":["fromId","toId"]},"Data_views_timefieldname":{"description":"The timestamp field name, which you use for time-based data views.","type":"string"},"Data_views_title":{"description":"Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`).","type":"string"},"Data_views_type":{"description":"When set to `rollup`, identifies the rollup data views.","type":"string"},"Data_views_typemeta":{"description":"When you use rollup indices, contains the field list for the rollup data view API endpoints.","type":"object","properties":{"aggs":{"description":"A map of rollup restrictions by aggregation type and field name.","type":"object"},"params":{"description":"Properties for retrieving rollup fields.","type":"object"}},"required":["aggs","params"]},"Data_views_typemeta_response":{"description":"When you use rollup indices, contains the field list for the rollup data view API endpoints.","nullable":true,"type":"object","properties":{"aggs":{"description":"A map of rollup restrictions by aggregation type and field name.","type":"object"},"params":{"description":"Properties for retrieving rollup fields.","type":"object"}}},"Data_views_update_data_view_request_object":{"title":"Update data view request","type":"object","properties":{"data_view":{"description":"The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.\n","type":"object","properties":{"allowNoIndex":{"$ref":"#/components/schemas/Data_views_allownoindex"},"fieldFormats":{"$ref":"#/components/schemas/Data_views_fieldformats"},"fields":{"type":"object"},"name":{"type":"string"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#/components/schemas/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#/components/schemas/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#/components/schemas/Data_views_timefieldname"},"title":{"$ref":"#/components/schemas/Data_views_title"},"type":{"$ref":"#/components/schemas/Data_views_type"},"typeMeta":{"$ref":"#/components/schemas/Data_views_typemeta"}}},"refresh_fields":{"default":false,"description":"Reloads the data view fields after the data view is updated.","type":"boolean"}},"required":["data_view"]},"Kibana_HTTP_APIs_core_status_redactedResponse":{"additionalProperties":false,"description":"A minimal representation of Kibana's operational status.","type":"object","properties":{"status":{"additionalProperties":false,"type":"object","properties":{"overall":{"additionalProperties":false,"type":"object","properties":{"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"}},"required":["level"]}},"required":["overall"]}},"required":["status"]},"Kibana_HTTP_APIs_core_status_response":{"additionalProperties":false,"description":"Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.","type":"object","properties":{"metrics":{"additionalProperties":false,"description":"Metric groups collected by Kibana.","type":"object","properties":{"collection_interval_in_millis":{"description":"The interval at which metrics should be collected.","type":"number"},"elasticsearch_client":{"additionalProperties":false,"description":"Current network metrics of Kibana's Elasticsearch client.","type":"object","properties":{"totalActiveSockets":{"description":"Count of network sockets currently in use.","type":"number"},"totalIdleSockets":{"description":"Count of network sockets currently idle.","type":"number"},"totalQueuedRequests":{"description":"Count of requests not yet assigned to sockets.","type":"number"}},"required":["totalActiveSockets","totalIdleSockets","totalQueuedRequests"]},"last_updated":{"description":"The time metrics were collected.","type":"string"}},"required":["elasticsearch_client","last_updated","collection_interval_in_millis"]},"name":{"description":"Kibana instance name.","type":"string"},"status":{"additionalProperties":false,"type":"object","properties":{"core":{"additionalProperties":false,"description":"Statuses of core Kibana services.","type":"object","properties":{"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"http":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"savedObjects":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]}},"required":["elasticsearch","savedObjects"]},"overall":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"plugins":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"description":"A dynamic mapping of plugin ID to plugin status.","type":"object"}},"required":["overall","core","plugins"]},"uuid":{"description":"Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.","type":"string"},"version":{"additionalProperties":false,"type":"object","properties":{"build_date":{"description":"The date and time of this build.","type":"string"},"build_flavor":{"description":"The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the \"traditional\" flavour, while other flavours are reserved for Elastic-specific use cases.","enum":["serverless","traditional"],"type":"string"},"build_hash":{"description":"A unique hash value representing the git commit of this Kibana build.","type":"string"},"build_number":{"description":"A monotonically increasing number, each subsequent build will have a higher number.","type":"number"},"build_snapshot":{"description":"Whether this build is a snapshot build.","type":"boolean"},"number":{"description":"A semantic version number.","type":"string"}},"required":["number","build_hash","build_number","build_snapshot","build_flavor","build_date"]}},"required":["name","uuid","version","status","metrics"]},"Machine_learning_APIs_mlSync200Response":{"properties":{"datafeedsAdded":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds"},"description":"If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.","type":"object"},"datafeedsRemoved":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds"},"description":"If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.","type":"object"},"savedObjectsCreated":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated"},"savedObjectsDeleted":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted"}},"title":"Successful sync API response","type":"object"},"Machine_learning_APIs_mlSync4xxResponse":{"properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"type":"string"},"statusCode":{"example":401,"type":"integer"}},"title":"Unsuccessful sync API response","type":"object"},"Machine_learning_APIs_mlSyncResponseAnomalyDetectors":{"description":"The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.","properties":{"success":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for anomaly detection jobs","type":"object"},"Machine_learning_APIs_mlSyncResponseDatafeeds":{"description":"The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.","properties":{"success":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for datafeeds","type":"object"},"Machine_learning_APIs_mlSyncResponseDataFrameAnalytics":{"description":"The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.","properties":{"success":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for data frame analytics jobs","type":"object"},"Machine_learning_APIs_mlSyncResponseSavedObjectsCreated":{"description":"If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.","properties":{"anomaly-detector":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors"},"description":"If saved objects are missing for anomaly detection jobs, they are created.","type":"object"},"data-frame-analytics":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics"},"description":"If saved objects are missing for data frame analytics jobs, they are created.","type":"object"},"trained-model":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels"},"description":"If saved objects are missing for trained models, they are created.","type":"object"}},"title":"Sync API response for created saved objects","type":"object"},"Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted":{"description":"If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.","properties":{"anomaly-detector":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors"},"description":"If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.","type":"object"},"data-frame-analytics":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics"},"description":"If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.","type":"object"},"trained-model":{"additionalProperties":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels"},"description":"If there are saved objects exist for nonexistent trained models, they are deleted.","type":"object"}},"title":"Sync API response for deleted saved objects","type":"object"},"Machine_learning_APIs_mlSyncResponseSuccess":{"description":"The success or failure of the synchronization.","type":"boolean"},"Machine_learning_APIs_mlSyncResponseTrainedModels":{"description":"The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.","properties":{"success":{"$ref":"#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for trained models","type":"object"},"Observability_AI_Assistant_API_ChatCompleteRequestExample":{"summary":"Example of completing a chat interaction","value":"{\n  \"connectorId\": \"\u003cconnectorId\u003e\",\n  \"disableFunctions\": false,\n  \"messages\": [\n    {\n      \"@timestamp\": \"2025-06-25T23:45:00.000Z\",\n      \"message\": {\n        \"role\": \"user\",\n        \"content\": \"Is my Elasticsearch cluster healthy right now?\"\n      }\n    }\n  ],\n  \"persist\": false,\n  \"actions\": [\n    {\n      \"name\": \"get_cluster_health\",\n      \"description\": \"Fetch the current Elasticsearch cluster-health status and key metrics.\",\n      \"parameters\": {\n        \"type\": \"object\",\n        \"properties\": {\n          \"includeShardStats\": {\n            \"type\": \"boolean\",\n            \"default\": false\n          }\n        }\n      }\n    }\n  ],\n  \"instructions\": [\"When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English.\"]\n}\n"},"Observability_AI_Assistant_API_ChatCompleteResponseExample":{"summary":"Get a chat completion from the Observability AI Assistant","value":"data: {\"model\":\"unknown\",\"choices\":[{\"delta\":{\"content\":\"\",\"function_call\":{\"name\":\"get_cluster_health\",\"arguments\":\"{\\\"includeShardStats\\\":true}\"}},\"finish_reason\":null,\"index\":0}],\"created\":1750936626911,\"id\":\"9c8eff9b-4fd4-4203-a4ab-2e364688deff\",\"object\":\"chat.completion.chunk\"}\n\ndata: [DONE]\n"},"Observability_AI_Assistant_API_Function":{"type":"object","properties":{"description":{"description":"The description of the function.","type":"string"},"name":{"description":"The name of the function.","type":"string"},"parameters":{"description":"The parameters of the function.","type":"object"}}},"Observability_AI_Assistant_API_FunctionCall":{"description":"Details of the function call within the message.","type":"object","properties":{"arguments":{"description":"The arguments for the function call.","type":"string"},"name":{"description":"The name of the function.","type":"string"},"trigger":{"description":"The trigger of the function call.","enum":["assistant","user","elastic"],"type":"string"}},"required":["name","trigger"]},"Observability_AI_Assistant_API_Instruction":{"oneOf":[{"description":"A simple instruction represented as a string.","type":"string"},{"description":"A detailed instruction with an ID and text.","type":"object","properties":{"id":{"description":"A unique identifier for the instruction.","type":"string"},"text":{"description":"The text of the instruction.","type":"string"}},"required":["id","text"]}]},"Observability_AI_Assistant_API_Message":{"name":"Message","type":"object","properties":{"@timestamp":{"description":"The timestamp when the message was created.","type":"string"},"message":{"description":"The main content of the message.","type":"object","properties":{"content":{"description":"The content of the message.","type":"string"},"data":{"description":"Additional data associated with the message.","type":"string"},"event":{"description":"The event related to the message.","type":"string"},"function_call":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_FunctionCall"},"name":{"description":"The name associated with the message.","type":"string"},"role":{"$ref":"#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum"}},"required":["role"]}},"required":["@timestamp","message"]},"Observability_AI_Assistant_API_MessageRoleEnum":{"description":"The role of the message sender.","enum":["system","assistant","function","user","elastic"],"type":"string"},"Saved_objects_400_response":{"title":"Bad request","type":"object","properties":{"error":{"enum":["Bad Request"],"type":"string"},"message":{"type":"string"},"statusCode":{"enum":[400],"type":"integer"}},"required":["error","message","statusCode"]},"Saved_objects_attributes":{"description":"The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.\n","type":"object"},"Saved_objects_initial_namespaces":{"description":"Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the \"All spaces\" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the \"All spaces\" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used.\n","type":"array"},"Saved_objects_references":{"description":"Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export.\n","type":"array"},"Security_AI_Assistant_API_AnonymizationFieldCreateProps":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"field":{"description":"Name of the anonymization field to create.","example":"host.name","type":"string"}},"required":["field"]},"Security_AI_Assistant_API_AnonymizationFieldDetailsInError":{"type":"object","properties":{"id":{"description":"The ID of the anonymization field.","example":"field12","type":"string"},"name":{"description":"Name of the anonymization field.","example":"host.name","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_AnonymizationFieldResponse":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"createdAt":{"description":"Timestamp of when the anonymization field was created.","example":"2023-10-31T12:00:00Z","type":"string"},"createdBy":{"description":"Username of the person who created the anonymization field.","example":"user1","type":"string"},"field":{"description":"Name of the anonymization field.","example":"url.domain","type":"string"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString","description":"The ID of the anonymization field."},"namespace":{"description":"Kibana space in which this anonymization field exists.","example":"default","type":"string"},"timestamp":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp","description":"Timestamp when the anonymization field was initially created."},"updatedAt":{"description":"Timestamp of the last update.","example":"2023-10-31T12:00:00Z","type":"string"},"updatedBy":{"description":"Username of the person who last updated the field.","example":"user1","type":"string"}},"required":["id","field"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason":{"description":"Reason why the anonymization field was not modified.","enum":["ANONYMIZATION_FIELD_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"The ID of the anonymization field that was not modified.","example":"field4","type":"string"},"name":{"description":"Name of the anonymization field that was not modified.","example":"user.name","type":"string"},"skip_reason":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason","description":"Reason why the anonymization field was not modified."}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse":{"type":"object","properties":{"anonymization_fields_count":{"description":"Total number of anonymization fields processed.","example":5,"type":"integer"},"attributes":{"type":"object","properties":{"errors":{"description":"List of errors that occurred during the bulk operation.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError"},"type":"array"},"results":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults"},"summary":{"$ref":"#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary"}},"required":["results","summary"]},"message":{"description":"Message providing information about the bulk action result.","example":"Bulk action completed successfully","type":"string"},"status_code":{"description":"HTTP status code returned.","example":200,"type":"integer"},"success":{"description":"Indicates if the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of anonymization fields successfully created.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"deleted":{"items":{"description":"Array of IDs of anonymization fields that were deleted.","example":"field3","type":"string"},"type":"array"},"skipped":{"description":"List of anonymization fields that were skipped during the operation.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of anonymization fields successfully updated.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_AnonymizationFieldUpdateProps":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"id":{"description":"The ID of the anonymization field to update.","example":"field8","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_ApiConfig":{"type":"object","properties":{"actionTypeId":{"description":"Action type ID","example":"actionType456","type":"string"},"connectorId":{"description":"Connector ID","example":"connector123","type":"string"},"defaultSystemPromptId":{"description":"Default system prompt ID","example":"systemPrompt001","type":"string"},"model":{"description":"Model","example":"gpt-4","type":"string"},"provider":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Provider","description":"Provider","example":"OpenAI"}},"required":["connectorId","actionTypeId"]},"Security_AI_Assistant_API_BaseContentReference":{"description":"The basis of a content reference","type":"object","properties":{"id":{"description":"Id of the content reference","example":"content123","type":"string"},"type":{"description":"Type of the content reference","example":"SecurityAlert","type":"string"}},"required":["id","type"]},"Security_AI_Assistant_API_BaseInterruptResumeValue":{"description":"The basis of an interrupt resume value","type":"object","properties":{"type":{"$ref":"#/components/schemas/Security_AI_Assistant_API_InterruptType","description":"Type of the resume value","example":"SELECT_OPTION"}},"required":["type"]},"Security_AI_Assistant_API_BaseInterruptValue":{"description":"The basis of an agent interrupt","type":"object","properties":{"expired":{"description":"Whether the interrupt has expired and can no longer be resumed.","example":false,"type":"boolean"},"threadId":{"description":"Thread ID of the graph execution that produced this message.","example":"\u003cUUID\u003e","type":"string"},"type":{"$ref":"#/components/schemas/Security_AI_Assistant_API_InterruptType","description":"Type of the interrupt","example":"SELECT_OPTION"}},"required":["type","threadId"]},"Security_AI_Assistant_API_BulkCrudActionSummary":{"type":"object","properties":{"failed":{"description":"The number of failed actions.","example":0,"type":"integer"},"skipped":{"description":"The number of skipped actions.","example":1,"type":"integer"},"succeeded":{"description":"The number of successfully performed actions.","example":10,"type":"integer"},"total":{"description":"The total number of actions attempted.","example":12,"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_AI_Assistant_API_ChatCompleteProps":{"description":"The request payload for creating a chat completion.","example":{"connectorId":"conn-001","conversationId":"abc123","isStream":true,"langSmithApiKey":"sk-abc123","langSmithProject":"security_ai_project","messages":[{"content":"How do I detect ransomware on my endpoints?","data":{"device_id":"device-567"},"fields_to_anonymize":["device.name","file.path"],"role":"user"}],"model":"gpt-4","persist":true,"promptId":"prompt_456","responseLanguage":"en"},"type":"object","properties":{"connectorId":{"description":"Required connector identifier to route the request.","example":"conn-001","type":"string"},"conversationId":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString","description":"Existing conversation ID to continue."},"isStream":{"description":"If true, the response will be streamed in chunks.","example":true,"type":"boolean"},"langSmithApiKey":{"description":"API key for LangSmith integration.","example":"sk-abc123","type":"string"},"langSmithProject":{"description":"LangSmith project name for tracing.","example":"security_ai_project","type":"string"},"messages":{"description":"List of chat messages exchanged so far.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ChatMessage"},"type":"array"},"model":{"description":"Model ID or name to use for the response.","example":"gpt-4","type":"string"},"persist":{"description":"Whether to persist the chat and response to storage.","example":true,"type":"boolean"},"promptId":{"description":"Prompt template identifier.","example":"prompt_001","type":"string"},"responseLanguage":{"description":"ISO language code for the assistant's response.","example":"en","type":"string"}},"required":["messages","persist","connectorId"]},"Security_AI_Assistant_API_ChatMessage":{"description":"A message exchanged within the AI chat conversation.","type":"object","properties":{"content":{"description":"The textual content of the message.","example":"What security incidents have been reported today?","type":"string"},"data":{"$ref":"#/components/schemas/Security_AI_Assistant_API_MessageData","description":"Metadata to attach to the context of the message."},"fields_to_anonymize":{"description":"List of field names within the data object that should be anonymized.","example":["user.name","source.ip"],"items":{"type":"string"},"type":"array"},"role":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ChatMessageRole","description":"The sender role of the message."}},"required":["role"]},"Security_AI_Assistant_API_ChatMessageRole":{"description":"The role associated with the message in the chat.","enum":["system","user","assistant"],"example":"user","type":"string"},"Security_AI_Assistant_API_ContentReferences":{"additionalProperties":{"oneOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_EsqlContentReference"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_HrefContentReference","additionalProperties":false}]},"description":"A union of all content reference types","type":"object"},"Security_AI_Assistant_API_ConversationCategory":{"description":"The conversation category.","enum":["assistant","insights"],"example":"assistant","type":"string"},"Security_AI_Assistant_API_ConversationCreateProps":{"type":"object","properties":{"apiConfig":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"description":"The conversation id.","example":"conversation123","type":"string"},"messages":{"description":"The conversation messages.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Message"},"type":"array"},"replacements":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Replacements"},"title":{"description":"The conversation title.","example":"Security AI Assistant Setup","type":"string"}},"required":["title"]},"Security_AI_Assistant_API_ConversationResponse":{"type":"object","properties":{"apiConfig":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"createdAt":{"description":"The time conversation was created.","example":"2025-04-30T14:00:00Z","type":"string"},"createdBy":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User","description":"The user who created the conversation."},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"messages":{"description":"The conversation messages.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Message"},"type":"array"},"namespace":{"description":"Kibana space","example":"default","type":"string"},"replacements":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Replacements"},"timestamp":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp"},"title":{"description":"The conversation title.","example":"Security AI Assistant Setup","type":"string"},"updatedAt":{"description":"The last time conversation was updated.","example":"2025-04-30T16:30:00Z","type":"string"},"users":{"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id","title","createdAt","createdBy","users","namespace","category"]},"Security_AI_Assistant_API_ConversationUpdateProps":{"type":"object","properties":{"apiConfig":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"messages":{"description":"The conversation messages.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Message"},"type":"array"},"replacements":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Replacements"},"title":{"description":"The conversation title.","example":"Updated Security AI Assistant Setup","type":"string"},"users":{"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},"Security_AI_Assistant_API_DeleteResponseFields":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"}},"required":["id"]},"Security_AI_Assistant_API_DocumentEntry":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name","namespace","global","users"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_ResponseFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields"}]},"Security_AI_Assistant_API_DocumentEntryCreateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields"}]},"Security_AI_Assistant_API_DocumentEntryOptionalFields":{"type":"object","properties":{"required":{"description":"Whether this resource should always be included, defaults to false.","example":false,"type":"boolean"},"vector":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Vector"}}},"Security_AI_Assistant_API_DocumentEntryRequiredFields":{"type":"object","properties":{"kbResource":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource"},"source":{"description":"Source document name or filepath.","example":"/documents/example.txt","type":"string"},"text":{"description":"Knowledge Base Entry content.","example":"This is the content of the document.","type":"string"},"type":{"description":"Entry type.","enum":["document"],"example":"document","type":"string"}},"required":["type","kbResource","source","text"]},"Security_AI_Assistant_API_DocumentEntryResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields"}]},"Security_AI_Assistant_API_DocumentEntryUpdateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields"}]},"Security_AI_Assistant_API_EsqlContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"label":{"description":"Label of the query","example":"High Severity Alerts","type":"string"},"query":{"description":"An ESQL query","example":"SELECT * FROM alerts WHERE severity = \"high\"","type":"string"},"timerange":{"description":"Time range to select in the time picker.","type":"object","properties":{"from":{"example":"2025-04-01T00:00:00Z","type":"string"},"to":{"example":"2025-04-30T23:59:59Z","type":"string"}},"required":["from","to"]},"type":{"enum":["EsqlQuery"],"example":"EsqlQuery","type":"string"}},"required":["type","query","label"]}],"description":"References an ESQL query"},"Security_AI_Assistant_API_FindAnonymizationFieldsSortField":{"enum":["created_at","anonymized","allowed","field","updated_at"],"type":"string"},"Security_AI_Assistant_API_FindConversationsSortField":{"description":"The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`.","enum":["created_at","title","updated_at"],"example":"created_at","type":"string"},"Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField":{"description":"Fields available for sorting Knowledge Base Entries.","enum":["created_at","is_default","title","updated_at"],"example":"title","type":"string"},"Security_AI_Assistant_API_FindPromptsSortField":{"description":"Field by which to sort the prompts.","enum":["created_at","is_default","name","updated_at"],"example":"created_at","type":"string"},"Security_AI_Assistant_API_HrefContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"href":{"description":"URL to the external resource","type":"string"},"label":{"description":"Label of the query","type":"string"},"type":{"enum":["Href"],"type":"string"}},"required":["type","href"]}],"description":"References an external URL"},"Security_AI_Assistant_API_IndexEntry":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name","namespace","global","users"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_ResponseFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields"}]},"Security_AI_Assistant_API_IndexEntryCreateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields"}]},"Security_AI_Assistant_API_IndexEntryOptionalFields":{"type":"object","properties":{"inputSchema":{"$ref":"#/components/schemas/Security_AI_Assistant_API_InputSchema"},"outputFields":{"description":"Fields to extract from the query result, defaults to all fields if not provided or empty.","example":["title","author"],"items":{"type":"string"},"type":"array"}}},"Security_AI_Assistant_API_IndexEntryRequiredFields":{"type":"object","properties":{"description":{"description":"Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description.","example":"Query this index for general knowledge base content.","type":"string"},"field":{"description":"Field to query for Knowledge Base content.","example":"content","type":"string"},"index":{"description":"Index or Data Stream to query for Knowledge Base content.","example":"knowledge_base_index","type":"string"},"queryDescription":{"description":"Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema.","example":"Search for documents containing the specified keywords.","type":"string"},"type":{"description":"Entry type.","enum":["index"],"example":"index","type":"string"}},"required":["type","index","field","description","queryDescription"]},"Security_AI_Assistant_API_IndexEntryResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields"}]},"Security_AI_Assistant_API_IndexEntryUpdateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields"}]},"Security_AI_Assistant_API_InputSchema":{"description":"Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval.","items":{"type":"object","properties":{"description":{"description":"Description of the field.","example":"The title of the document.","type":"string"},"fieldName":{"description":"Name of the field.","example":"title","type":"string"},"fieldType":{"description":"Type of the field.","example":"string","type":"string"}},"required":["fieldName","fieldType","description"]},"type":"array"},"Security_AI_Assistant_API_InputTextInterruptResumeValue":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue"},{"type":"object","properties":{"type":{"enum":["INPUT_TEXT"],"example":"INPUT_TEXT","type":"string"},"value":{"description":"Text value used to resume the graph execution with.","example":".logs*","type":"string"}},"required":["value","type"]}],"description":"A resume value for input text"},"Security_AI_Assistant_API_InputTextInterruptValue":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue"},{"type":"object","properties":{"description":{"description":"Description of action required","example":"What is the index you would like to use for the query.","type":"string"},"placeholder":{"description":"Placeholder text for the input field","example":"Enter index pattern here...","type":"string"},"type":{"enum":["INPUT_TEXT"],"example":"INPUT_TEXT","type":"string"}},"required":["type"]}],"description":"Interrupt that requests user to provide text input"},"Security_AI_Assistant_API_InterruptResumeValue":{"description":"Union of the interrupt resume values","oneOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue","additionalProperties":false},{"$ref":"#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue","additionalProperties":false}]},"Security_AI_Assistant_API_InterruptType":{"description":"The type of interrupt","enum":["SELECT_OPTION","INPUT_TEXT"],"type":"string"},"Security_AI_Assistant_API_InterruptValue":{"description":"Union of the interrupt values","oneOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue","additionalProperties":false},{"$ref":"#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue","additionalProperties":false}]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason":{"description":"Reason why a Knowledge Base Entry was skipped during the bulk action.","enum":["KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"ID of the skipped Knowledge Base Entry.","example":"123","type":"string"},"name":{"description":"Name of the skipped Knowledge Base Entry.","example":"Skipped Entry","type":"string"},"skip_reason":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason"}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"description":"List of errors encountered during the bulk action.","example":[{"err_code":"UPDATE_FAILED","knowledgeBaseEntries":[{"id":"456","name":"Error Entry"}],"message":"Failed to update entry.","statusCode":400}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError"},"type":"array"},"results":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults"},"summary":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary"}},"required":["results","summary"]},"knowledgeBaseEntriesCount":{"description":"Total number of Knowledge Base Entries processed.","example":8,"type":"integer"},"message":{"description":"Message describing the result of the bulk action.","example":"Bulk action completed successfully.","type":"string"},"statusCode":{"description":"HTTP status code of the response.","example":200,"type":"integer"},"success":{"description":"Indicates whether the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of Knowledge Base Entries that were successfully created.","example":[{"content":"This is the content of the new entry.","id":"456","title":"New Entry"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"},"deleted":{"description":"List of IDs of Knowledge Base Entries that were successfully deleted.","example":["789"],"items":{"type":"string"},"type":"array"},"skipped":{"description":"List of Knowledge Base Entries that were skipped during the bulk action.","example":[{"id":"123","name":"Skipped Entry","skip_reason":"KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of Knowledge Base Entries that were successfully updated.","example":[{"content":"Updated content.","id":"123","title":"Updated Entry"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary":{"type":"object","properties":{"failed":{"description":"Number of Knowledge Base Entries that failed during the bulk action.","example":2,"type":"integer"},"skipped":{"description":"Number of Knowledge Base Entries that were skipped during the bulk action.","example":1,"type":"integer"},"succeeded":{"description":"Number of Knowledge Base Entries that were successfully processed during the bulk action.","example":5,"type":"integer"},"total":{"description":"Total number of Knowledge Base Entries involved in the bulk action.","example":8,"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_AI_Assistant_API_KnowledgeBaseEntryContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"knowledgeBaseEntryId":{"description":"Id of the Knowledge Base Entry","example":"kbentry456","type":"string"},"knowledgeBaseEntryName":{"description":"Name of the knowledge base entry","example":"Network Security Best Practices","type":"string"},"type":{"enum":["KnowledgeBaseEntry"],"example":"KnowledgeBaseEntry","type":"string"}},"required":["type","knowledgeBaseEntryId","knowledgeBaseEntryName"]}],"description":"References a knowledge base entry"},"Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps":{"anyOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields"}],"discriminator":{"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError":{"type":"object","properties":{"id":{"description":"ID of the Knowledge Base Entry that encountered an error.","example":"456","type":"string"},"name":{"description":"Name of the Knowledge Base Entry that encountered an error.","example":"Error Entry","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema":{"additionalProperties":false,"type":"object","properties":{"error":{"description":"Error type or category.","example":"Not Found","type":"string"},"message":{"description":"Detailed error message.","example":"The requested Knowledge Base Entry was not found.","type":"string"},"statusCode":{"description":"HTTP status code of the error.","example":404,"type":"number"}},"required":["statusCode","error","message"]},"Security_AI_Assistant_API_KnowledgeBaseEntryResponse":{"anyOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntry"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntry"}],"discriminator":{"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps":{"anyOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields"}],"discriminator":{"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps":{"anyOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields"},{"$ref":"#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields"}],"discriminator":{"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseReadResponse200":{"type":"object","properties":{"defend_insights_exists":{"description":"Indicates if Defend Insights documentation exists in the KnowledgeBase.","example":true,"type":"boolean"},"elser_exists":{"description":"Indicates if the ELSER model exists for the KnowledgeBase.","example":true,"type":"boolean"},"is_setup_available":{"description":"Indicates if the setup process is available for the KnowledgeBase.","example":true,"type":"boolean"},"is_setup_in_progress":{"description":"Indicates if the setup process is currently in progress.","example":false,"type":"boolean"},"product_documentation_status":{"description":"The status of the product documentation in the KnowledgeBase.","example":"complete","type":"string"},"security_labs_exists":{"description":"Indicates if Security Labs documentation exists in the KnowledgeBase.","example":true,"type":"boolean"},"user_data_exists":{"description":"Indicates if user data exists in the KnowledgeBase.","example":false,"type":"boolean"}}},"Security_AI_Assistant_API_KnowledgeBaseResource":{"description":"Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc.","enum":["security_labs","defend_insights","user"],"example":"security_labs","type":"string"},"Security_AI_Assistant_API_KnowledgeBaseResponse":{"description":"AI assistant KnowledgeBase.","type":"object","properties":{"success":{"description":"Identify the success of the method execution.","example":true,"type":"boolean"}}},"Security_AI_Assistant_API_KnowledgeBaseResponse400":{"type":"object","properties":{"error":{"description":"A short description of the error.","example":"Bad Request","type":"string"},"message":{"description":"A detailed error message.","example":"Invalid resource ID provided.","type":"string"},"statusCode":{"description":"The HTTP status code of the error.","example":400,"type":"number"}}},"Security_AI_Assistant_API_Message":{"description":"AI assistant conversation message.","type":"object","properties":{"content":{"description":"Message content.","example":"Hello, how can I assist you today?","type":"string"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString","description":"Message id"},"isError":{"description":"Is error message.","example":false,"type":"boolean"},"metadata":{"$ref":"#/components/schemas/Security_AI_Assistant_API_MessageMetadata","description":"Metadata"},"reader":{"$ref":"#/components/schemas/Security_AI_Assistant_API_Reader","description":"Message content."},"refusal":{"description":"Refusal reason returned by the model when content is filtered.","type":"string"},"role":{"$ref":"#/components/schemas/Security_AI_Assistant_API_MessageRole","description":"Message role.","example":"assistant"},"timestamp":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp","description":"The timestamp message was sent or received.","example":"2025-04-30T15:30:00Z"},"traceData":{"$ref":"#/components/schemas/Security_AI_Assistant_API_TraceData","description":"Trace data"},"user":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User","description":"The user who sent the message."}},"required":["timestamp","content","role"]},"Security_AI_Assistant_API_MessageData":{"additionalProperties":true,"description":"ECS-style metadata attached to the message.","example":{"alert_id":"alert-456","user_id":"abc123"},"type":"object"},"Security_AI_Assistant_API_MessageMetadata":{"description":"Message metadata","type":"object","properties":{"contentReferences":{"$ref":"#/components/schemas/Security_AI_Assistant_API_ContentReferences","description":"Data referred to by the message content."},"interruptResumeValue":{"$ref":"#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue","description":"When the agent is resumed after an interrupt, this field is populated with the details of the resume value."},"interruptValue":{"$ref":"#/components/schemas/Security_AI_Assistant_API_InterruptValue","description":"When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context."}}},"Security_AI_Assistant_API_MessageRole":{"description":"Message role.","enum":["system","user","assistant"],"example":"assistant","type":"string"},"Security_AI_Assistant_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters.","example":"I am a string","format":"nonempty","minLength":1,"type":"string"},"Security_AI_Assistant_API_NonEmptyTimestamp":{"description":"A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.","example":"2023-10-31T12:00:00Z","format":"nonempty","minLength":1,"type":"string"},"Security_AI_Assistant_API_NormalizedAnonymizationFieldError":{"type":"object","properties":{"anonymization_fields":{"description":"Array of anonymization fields that caused the error.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError"},"type":"array"},"err_code":{"description":"Error code indicating the type of failure.","example":"UPDATE_FAILED","type":"string"},"message":{"description":"Error message.","example":"Failed to update anonymization field.","type":"string"},"status_code":{"description":"Status code of the response.","example":400,"type":"integer"}},"required":["message","status_code","anonymization_fields"]},"Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError":{"type":"object","properties":{"err_code":{"description":"Specific error code for the issue.","example":"UPDATE_FAILED","type":"string"},"knowledgeBaseEntries":{"description":"List of Knowledge Base Entries that encountered the error.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError"},"type":"array"},"message":{"description":"Error message describing the issue.","example":"Failed to update entry.","type":"string"},"statusCode":{"description":"HTTP status code associated with the error.","example":400,"type":"integer"}},"required":["message","statusCode","knowledgeBaseEntries"]},"Security_AI_Assistant_API_NormalizedPromptError":{"type":"object","properties":{"err_code":{"description":"A code representing the error type.","type":"string"},"message":{"description":"A message describing the error encountered.","type":"string"},"prompts":{"description":"List of prompts that encountered errors.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError"},"type":"array"},"status_code":{"description":"The HTTP status code associated with the error.","type":"integer"}},"required":["message","status_code","prompts"]},"Security_AI_Assistant_API_ProductDocumentationContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"title":{"description":"Title of the documentation","example":"Getting Started with Security AI Assistant","type":"string"},"type":{"enum":["ProductDocumentation"],"example":"ProductDocumentation","type":"string"},"url":{"description":"URL to the documentation","example":"https://docs.example.com/security-ai-assistant","type":"string"}},"required":["type","title","url"]}],"description":"References the product documentation"},"Security_AI_Assistant_API_PromptCreateProps":{"type":"object","properties":{"categories":{"description":"List of categories for the prompt.","example":["security","verification"],"items":{"type":"string"},"type":"array"},"color":{"description":"The color associated with the prompt.","example":"blue","type":"string"},"consumer":{"description":"The consumer associated with the prompt.","example":"admin","type":"string"},"content":{"description":"The content of the prompt.","example":"Please verify the security settings.","type":"string"},"isDefault":{"description":"Whether this prompt should be the default.","example":false,"type":"boolean"},"isNewConversationDefault":{"description":"Whether this prompt should be the default for new conversations.","example":true,"type":"boolean"},"name":{"description":"The name of the prompt.","example":"New Security Prompt","type":"string"},"promptType":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptType","description":"The type of the prompt.","example":"system"}},"required":["name","content","promptType"]},"Security_AI_Assistant_API_PromptDetailsInError":{"type":"object","properties":{"id":{"description":"The ID of the prompt that encountered an error.","type":"string"},"name":{"description":"The name of the prompt that encountered an error.","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_PromptResponse":{"type":"object","properties":{"categories":{"description":"Categories associated with the prompt.","items":{"type":"string"},"type":"array"},"color":{"description":"The color associated with the prompt.","type":"string"},"consumer":{"description":"The consumer that the prompt is associated with.","type":"string"},"content":{"description":"The content of the prompt.","type":"string"},"createdAt":{"description":"The timestamp of when the prompt was created.","type":"string"},"createdBy":{"description":"The user who created the prompt.","type":"string"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"isDefault":{"description":"Whether this prompt is the default.","type":"boolean"},"isNewConversationDefault":{"description":"Whether this prompt is the default for new conversations.","type":"boolean"},"name":{"description":"The name of the prompt.","type":"string"},"namespace":{"description":"Kibana space where the prompt is located.","type":"string"},"promptType":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptType","description":"The type of the prompt."},"timestamp":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp"},"updatedAt":{"description":"The timestamp of when the prompt was last updated.","type":"string"},"updatedBy":{"description":"The user who last updated the prompt.","type":"string"},"users":{"description":"List of users associated with the prompt.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id","name","promptType","content"]},"Security_AI_Assistant_API_PromptsBulkActionSkipReason":{"description":"Reason why a prompt was skipped during the bulk action.","enum":["PROMPT_FIELD_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_PromptsBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"The ID of the prompt that was skipped.","type":"string"},"name":{"description":"The name of the prompt that was skipped.","type":"string"},"skip_reason":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason","description":"The reason for skipping the prompt."}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_PromptsBulkCrudActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError"},"type":"array"},"results":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults"},"summary":{"$ref":"#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary"}},"required":["results","summary"]},"message":{"description":"A message describing the result of the bulk action.","example":"Bulk action completed successfully.","type":"string"},"prompts_count":{"description":"The number of prompts processed in the bulk action.","example":6,"type":"integer"},"status_code":{"description":"The HTTP status code of the response.","example":200,"type":"integer"},"success":{"description":"Indicates if the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_PromptsBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of prompts that were created.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptResponse"},"type":"array"},"deleted":{"description":"List of IDs of prompts that were deleted.","items":{"type":"string"},"type":"array"},"skipped":{"description":"List of prompts that were skipped.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of prompts that were updated.","items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_PromptResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_PromptType":{"description":"Type of the prompt (either system or quick).","enum":["system","quick"],"type":"string"},"Security_AI_Assistant_API_PromptUpdateProps":{"type":"object","properties":{"categories":{"description":"The updated categories for the prompt.","example":["security","alert"],"items":{"type":"string"},"type":"array"},"color":{"description":"The updated color associated with the prompt.","example":"green","type":"string"},"consumer":{"description":"The updated consumer for the prompt.","example":"user123","type":"string"},"content":{"description":"The updated content for the prompt.","example":"Updated content for security prompt.","type":"string"},"id":{"description":"The ID of the prompt to update.","example":"prompt123","type":"string"},"isDefault":{"description":"Whether this prompt should be the default.","example":true,"type":"boolean"},"isNewConversationDefault":{"description":"Whether the prompt should be the default for new conversations.","example":false,"type":"boolean"}},"required":["id"]},"Security_AI_Assistant_API_Provider":{"description":"Provider","enum":["OpenAI","Azure OpenAI","Other"],"example":"OpenAI","type":"string"},"Security_AI_Assistant_API_Reader":{"additionalProperties":true,"type":"object"},"Security_AI_Assistant_API_Replacements":{"additionalProperties":{"type":"string"},"description":"Replacements object used to anonymize/deanonymize messages","type":"object"},"Security_AI_Assistant_API_ResponseFields":{"type":"object","properties":{"createdAt":{"description":"Time the Knowledge Base Entry was created.","example":"2023-01-01T12:00:00Z","type":"string"},"createdBy":{"description":"User who created the Knowledge Base Entry.","example":"admin","type":"string"},"id":{"$ref":"#/components/schemas/Security_AI_Assistant_API_NonEmptyString"},"updatedAt":{"description":"Time the Knowledge Base Entry was last updated.","example":"2023-01-02T12:00:00Z","type":"string"},"updatedBy":{"description":"User who last updated the Knowledge Base Entry.","example":"editor","type":"string"}},"required":["id","createdAt","createdBy","updatedAt","updatedBy"]},"Security_AI_Assistant_API_SecurityAlertContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"alertId":{"description":"ID of the Alert","example":"alert789","type":"string"},"type":{"enum":["SecurityAlert"],"example":"SecurityAlert","type":"string"}},"required":["type","alertId"]}],"description":"References a security alert"},"Security_AI_Assistant_API_SecurityAlertsPageContentReference":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"type":{"enum":["SecurityAlertsPage"],"example":"SecurityAlertsPage","type":"string"}},"required":["type"]}],"description":"References the security alerts page"},"Security_AI_Assistant_API_SelectOptionInterruptOption":{"description":"A request approval option","type":"object","properties":{"buttonColor":{"enum":["text","accent","accentSecondary","primary","success","warning","danger","neutral","risk"],"example":"danger","type":"string"},"label":{"example":"Option 1","type":"string"},"value":{"example":"option_1","type":"string"}},"required":["label","value"]},"Security_AI_Assistant_API_SelectOptionInterruptResumeValue":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue"},{"type":"object","properties":{"type":{"enum":["SELECT_OPTION"],"example":"SELECT_OPTION","type":"string"},"value":{"description":"The value of the selected option to resume the graph execution with","example":"option_1","type":"string"}},"required":["value","type"]}],"description":"A request approval resume schema"},"Security_AI_Assistant_API_SelectOptionInterruptValue":{"allOf":[{"$ref":"#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue"},{"type":"object","properties":{"description":{"description":"Description of action required","example":"Select one of the options","type":"string"},"options":{"description":"List of actions to choose from","example":[{"label":"Option 1"},{"label":"Option 2"}],"items":{"$ref":"#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption"},"type":"array"},"type":{"enum":["SELECT_OPTION"],"example":"SELECT_OPTION","type":"string"}},"required":["type","description","options"]}],"description":"Interrupt that requests user to select one of the provided options"},"Security_AI_Assistant_API_SortOrder":{"description":"The order in which results are sorted.","enum":["asc","desc"],"example":"asc","type":"string"},"Security_AI_Assistant_API_TraceData":{"description":"Trace Data","type":"object","properties":{"traceId":{"description":"Could be any string, not necessarily a UUID","example":"d9876543-f0a1-2345-6789-abcdef123456","type":"string"},"transactionId":{"description":"Could be any string, not necessarily a UUID","example":"a1234567-bc89-0def-1234-56789abcdef0","type":"string"}}},"Security_AI_Assistant_API_User":{"description":"Could be any string, not necessarily a UUID.","type":"object","properties":{"id":{"description":"User id.","example":"user123","type":"string"},"name":{"description":"User name.","example":"John Doe","type":"string"}}},"Security_AI_Assistant_API_Vector":{"description":"Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings.","type":"object","properties":{"modelId":{"description":"ID of the model used to create the embeddings.","example":"bert-base-uncased","type":"string"},"tokens":{"additionalProperties":{"type":"number"},"description":"Tokens with their corresponding values.","example":{"token1":0.123,"token2":0.456},"type":"object"}},"required":["modelId","tokens"]},"Security_Attack_discovery_API_AnonymizationFieldResponse":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"createdAt":{"description":"Timestamp of when the anonymization field was created.","example":"2023-10-31T12:00:00Z","type":"string"},"createdBy":{"description":"Username of the person who created the anonymization field.","example":"user1","type":"string"},"field":{"description":"Name of the anonymization field.","example":"url.domain","type":"string"},"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString","description":"The ID of the anonymization field."},"namespace":{"description":"Kibana space in which this anonymization field exists.","example":"default","type":"string"},"timestamp":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp","description":"Timestamp when the anonymization field was initially created."},"updatedAt":{"description":"Timestamp of the last update.","example":"2023-10-31T12:00:00Z","type":"string"},"updatedBy":{"description":"Username of the person who last updated the field.","example":"user1","type":"string"}},"required":["id","field"]},"Security_Attack_discovery_API_ApiConfig":{"type":"object","properties":{"actionTypeId":{"description":"Action type ID","example":"actionType456","type":"string"},"connectorId":{"description":"Connector ID","example":"connector123","type":"string"},"defaultSystemPromptId":{"description":"Default system prompt ID","example":"systemPrompt001","type":"string"},"model":{"description":"Model","example":"gpt-4","type":"string"},"provider":{"$ref":"#/components/schemas/Security_Attack_discovery_API_Provider","description":"Provider","example":"OpenAI"}},"required":["connectorId","actionTypeId"]},"Security_Attack_discovery_API_AttackDiscoveryApiAlert":{"description":"An attack discovery that's also an alert (Public API with snake_case)","type":"object","properties":{"alert_ids":{"description":"The alert IDs that the attack discovery is based on","items":{"type":"string"},"type":"array"},"alert_rule_uuid":{"description":"The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)","type":"string"},"alert_start":{"description":"The optional time the attack discovery alert was created","type":"string"},"alert_updated_at":{"description":"The optional time the attack discovery alert was last updated","type":"string"},"alert_updated_by_user_id":{"description":"The optional id of the user who last updated the attack discovery alert","type":"string"},"alert_updated_by_user_name":{"description":"The optional username of the user who updated the attack discovery alert","type":"string"},"alert_workflow_status":{"description":"The optional kibana.alert.workflow_status of this attack discovery","type":"string"},"alert_workflow_status_updated_at":{"description":"The optional time the attack discovery alert workflow status was last updated","type":"string"},"connector_id":{"description":"The ID of the connector that generated the attack discovery","type":"string"},"connector_name":{"description":"The (human readable) name of the connector that generated the attack discovery","type":"string"},"details_markdown":{"description":"Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.","type":"string"},"entity_summary_markdown":{"description":"An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax","type":"string"},"generation_uuid":{"description":"The generation ID of the run that created the attack discovery","type":"string"},"id":{"description":"The unique ID of the attack discovery","type":"string"},"mitre_attack_tactics":{"description":"An optional array of MITRE ATT\u0026CK tactic for the attack discovery","items":{"type":"string"},"type":"array"},"replacements":{"$ref":"#/components/schemas/Security_Attack_discovery_API_Replacements","description":"Key-value pairs that are used to replace placeholders in the markdown fields"},"risk_score":{"description":"The optional, (but typically populated after generation) risk score of the alert","type":"integer"},"summary_markdown":{"description":"A markdown summary of attack discovery, using the same syntax","type":"string"},"timestamp":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp","description":"The time the attack discovery was generated"},"title":{"description":"A title for the attack discovery, in plain text","type":"string"},"user_id":{"description":"The optional id of the user who generated the attack discovery","type":"string"},"user_name":{"description":"The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)","type":"string"},"users":{"description":"The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_User"},"type":"array"}},"required":["alert_ids","connector_id","connector_name","details_markdown","generation_uuid","id","summary_markdown","timestamp","title"]},"Security_Attack_discovery_API_AttackDiscoveryApiSchedule":{"description":"An attack discovery schedule","type":"object","properties":{"actions":{"description":"The attack discovery schedule actions","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"created_at":{"description":"The date the schedule was created","format":"date-time","type":"string"},"created_by":{"description":"The name of the user that created the schedule","type":"string"},"enabled":{"description":"Indicates whether the schedule is enabled","type":"boolean"},"id":{"description":"UUID of attack discovery schedule","type":"string"},"last_execution":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution","description":"The attack discovery schedule last execution summary"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The attack discovery schedule configuration parameters"},"schedule":{"$ref":"#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule","description":"The attack discovery schedule interval"},"updated_at":{"description":"The date the schedule was updated","format":"date-time","type":"string"},"updated_by":{"description":"The name of the user that updated the schedule","type":"string"}},"required":["id","name","created_by","updated_by","created_at","updated_at","enabled","params","schedule","actions"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction":{"oneOf":[{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction"},{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction"}]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter":{"additionalProperties":true,"type":"object"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency":{"description":"The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).","type":"object","properties":{"notify_when":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen"},"summary":{"description":"Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert","type":"boolean"},"throttle":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle","nullable":true}},"required":["summary","notify_when","throttle"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup":{"description":"Groups actions by use cases. Use `default` for alert notifications.","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId":{"description":"The connector ID.","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen":{"description":"The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`,  or `onThrottleInterval`","enum":["onActiveAlert","onThrottleInterval","onActionGroupChange"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams":{"additionalProperties":true,"description":"Object containing the allowed connector fields, which varies according to the connector type.","type":"object"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle":{"description":"Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.","example":"1h","pattern":"^[1-9]\\d*[smhd]$","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps":{"description":"An attack discovery schedule create properties","type":"object","properties":{"actions":{"description":"The attack discovery schedule actions","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"enabled":{"description":"Indicates whether the schedule is enabled","type":"boolean"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The attack discovery schedule configuration parameters"},"schedule":{"$ref":"#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule","description":"The attack discovery schedule interval"}},"required":["name","params","schedule"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution":{"description":"An attack discovery schedule execution information","type":"object","properties":{"date":{"description":"Date of the execution","format":"date-time","type":"string"},"duration":{"description":"Duration of the execution","type":"number"},"message":{"type":"string"},"status":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus","description":"Status of the execution"}},"required":["date","status","last_duration"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus":{"description":"An attack discovery schedule execution status","enum":["ok","active","error","unknown","warning"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications.","type":"string"},"alerts_filter":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter"},"frequency":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency"},"group":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup"},"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId"},"params":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams"},"uuid":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}},"required":["action_type_id","group","id","params"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams":{"description":"An attack discovery schedule params","type":"object","properties":{"alerts_index_pattern":{"description":"The index pattern to get alerts from","type":"string"},"api_config":{"allOf":[{"$ref":"#/components/schemas/Security_Attack_discovery_API_ApiConfig"},{"type":"object","properties":{"name":{"description":"The name of the connector","type":"string"}},"required":["name"]}],"description":"LLM API configuration."},"combined_filter":{"additionalProperties":true,"type":"object"},"end":{"type":"string"},"filters":{"$ref":"#/components/schemas/Security_Attack_discovery_API_Filters"},"query":{"$ref":"#/components/schemas/Security_Attack_discovery_API_Query"},"size":{"type":"number"},"start":{"type":"string"}},"required":["alerts_index_pattern","api_config","size"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications.","type":"string"},"id":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId"},"params":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams"},"uuid":{"$ref":"#/components/schemas/Security_Attack_discovery_API_NonEmptyString"}},"required":["action_type_id","id","params"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps":{"description":"An attack discovery schedule update properties","type":"object","properties":{"actions":{"description":"The attack discovery schedule actions","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The attack discovery schedule configuration parameters"},"schedule":{"$ref":"#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule","description":"The attack discovery schedule interval"}},"required":["name","params","schedule","actions"]},"Security_Attack_discovery_API_AttackDiscoveryFindSortField":{"description":"Allowed field names to sort Attack discovery results by. Clients should only pass one of the listed values.","enum":["@timestamp"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryGeneration":{"type":"object","properties":{"alerts_context_count":{"description":"The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation","type":"number"},"connector_id":{"description":"The connector id (event.dataset) for this generation","type":"string"},"connector_stats":{"description":"Stats applicable to the connector for this generation","type":"object","properties":{"average_successful_duration_nanoseconds":{"description":"The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user","type":"number"},"successful_generations":{"description":"The number of successful generations for the same connector id, for the current user","type":"number"}}},"discoveries":{"description":"The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation","type":"number"},"end":{"description":"When generation ended (max event.end)","type":"string"},"execution_uuid":{"description":"The unique identifier (kibana.alert.rule.execution.uuid) for the generation","type":"string"},"loading_message":{"description":"Generation loading message (kibana.alert.rule.execution.status)","type":"string"},"reason":{"description":"Reason for failed generations (event.reason)","type":"string"},"start":{"description":"When generation started (min event.start)","type":"string"},"status":{"description":"The status of the attack discovery generation","enum":["canceled","dismissed","failed","started","succeeded"],"type":"string"}},"required":["connector_id","discoveries","execution_uuid","loading_message","start","status"]},"Security_Attack_discovery_API_AttackDiscoveryGenerationConfig":{"type":"object","properties":{"alertsIndexPattern":{"description":"The (space specific) index pattern that contains the alerts to use as\ncontext for the attack discovery.\nExample: .alerts-security.alerts-default\n","type":"string"},"anonymizationFields":{"description":"The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value.","items":{"$ref":"#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse"},"type":"array"},"apiConfig":{"$ref":"#/components/schemas/Security_Attack_discovery_API_ApiConfig","description":"LLM API configuration."},"connectorName":{"type":"string"},"end":{"type":"string"},"filter":{"additionalProperties":true,"description":"An Elasticsearch-style query DSL object used to filter alerts. For example:\n```json {\n  \"filter\": {\n    \"bool\": {\n      \"must\": [],\n      \"filter\": [\n        {\n          \"bool\": {\n            \"should\": [\n              {\n                \"term\": {\n                  \"user.name\": { \"value\": \"james\" }\n                }\n              }\n            ],\n            \"minimum_should_match\": 1\n          }\n        }\n      ],\n      \"should\": [],\n      \"must_not\": []\n    }\n  }\n} ```","type":"object"},"model":{"type":"string"},"replacements":{"$ref":"#/components/schemas/Security_Attack_discovery_API_Replacements"},"size":{"type":"number"},"start":{"type":"string"},"subAction":{"enum":["invokeAI","invokeStream"],"type":"string"}},"required":["apiConfig","alertsIndexPattern","anonymizationFields","size","subAction"]},"Security_Attack_discovery_API_AttackDiscoveryGenericError":{"description":"Generic error response for Attack discovery schedule operations","type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong","example":"Invalid request parameters","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}},"Security_Attack_discovery_API_Filters":{"description":"The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.","items":{},"type":"array"},"Security_Attack_discovery_API_IntervalApiSchedule":{"type":"object","properties":{"interval":{"description":"The schedule interval","type":"string"}},"required":["interval"]},"Security_Attack_discovery_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters.","example":"I am a string","format":"nonempty","minLength":1,"type":"string"},"Security_Attack_discovery_API_NonEmptyTimestamp":{"description":"A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.","example":"2023-10-31T12:00:00Z","format":"nonempty","minLength":1,"type":"string"},"Security_Attack_discovery_API_Provider":{"description":"Provider","enum":["OpenAI","Azure OpenAI","Other"],"example":"OpenAI","type":"string"},"Security_Attack_discovery_API_Query":{"description":"An query condition to filter alerts","type":"object","properties":{"language":{"type":"string"},"query":{"oneOf":[{"type":"string"},{"additionalProperties":true,"type":"object"}]}},"required":["query","language"]},"Security_Attack_discovery_API_Replacements":{"additionalProperties":{"type":"string"},"description":"Replacements object used to anonymize/deanonymize messages","type":"object"},"Security_Attack_discovery_API_SortOrder":{"description":"The order in which results are sorted.","enum":["asc","desc"],"example":"asc","type":"string"},"Security_Attack_discovery_API_User":{"description":"Could be any string, not necessarily a UUID.","type":"object","properties":{"id":{"description":"User id.","example":"user123","type":"string"},"name":{"description":"User name.","example":"John Doe","type":"string"}}},"Security_Detections_API_AlertAssignees":{"type":"object","properties":{"add":{"items":{"description":"A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"remove":{"items":{"description":"A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once.","format":"nonempty","minLength":1,"type":"string"},"type":"array"}},"required":["add","remove"]},"Security_Detections_API_AlertIds":{"description":"A list of alerts `id`s.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"Security_Detections_API_AlertsIndex":{"deprecated":true,"description":"(deprecated) Has no effect.","type":"string"},"Security_Detections_API_AlertsIndexMigrationError":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"string"}},"required":["message","status_code"]},"index":{"type":"string"}},"required":["index","error"]},"Security_Detections_API_AlertsIndexMigrationSuccess":{"type":"object","properties":{"index":{"type":"string"},"migration_id":{"type":"string"},"migration_index":{"type":"string"}},"required":["index","migration_id","migration_index"]},"Security_Detections_API_AlertsIndexNamespace":{"description":"Has no effect.","type":"string"},"Security_Detections_API_AlertsReindexOptions":{"type":"object","properties":{"requests_per_second":{"description":"The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.","minimum":1,"type":"integer"},"size":{"description":"Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.","minimum":1,"type":"integer"},"slices":{"description":"The number of subtasks for the migration task. Corresponds to slices on the Reindex API.","minimum":1,"type":"integer"}}},"Security_Detections_API_AlertsSort":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_AlertsSortCombinations"},{"items":{"$ref":"#/components/schemas/Security_Detections_API_AlertsSortCombinations"},"type":"array"}]},"Security_Detections_API_AlertsSortCombinations":{"anyOf":[{"type":"string"},{"additionalProperties":true,"type":"object"}]},"Security_Detections_API_AlertStatusExceptClosed":{"description":"The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`.","enum":["open","acknowledged","in-progress"],"type":"string"},"Security_Detections_API_AlertSuppression":{"description":"Defines alert suppression configuration.","type":"object","properties":{"duration":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppressionDuration"},"group_by":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy"},"missing_fields_strategy":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy"}},"required":["group_by"]},"Security_Detections_API_AlertSuppressionDuration":{"type":"object","properties":{"unit":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit"},"value":{"minimum":1,"type":"integer"}},"required":["value","unit"]},"Security_Detections_API_AlertSuppressionDurationUnit":{"description":"Time unit","enum":["s","m","h"],"type":"string"},"Security_Detections_API_AlertSuppressionGroupBy":{"items":{"type":"string"},"maxItems":3,"minItems":1,"type":"array"},"Security_Detections_API_AlertSuppressionMissingFieldsStrategy":{"description":"Describes how alerts will be generated for documents with missing suppress by fields:\ndoNotSuppress - per each document a separate alert will be created\nsuppress - only alert will be created per suppress by bucket","enum":["doNotSuppress","suppress"],"type":"string"},"Security_Detections_API_AlertTag":{"description":"Use alert tags to organize related alerts into categories that you can filter and group.","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_AlertTags":{"description":"List of keywords to organize related alerts into categories that you can filter and group.","items":{"$ref":"#/components/schemas/Security_Detections_API_AlertTag"},"type":"array"},"Security_Detections_API_AlertVersion":{"type":"object","properties":{"count":{"type":"integer"},"version":{"type":"integer"}},"required":["version","count"]},"Security_Detections_API_AnomalyThreshold":{"description":"Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.","minimum":0,"type":"integer"},"Security_Detections_API_BuildingBlockType":{"description":"Determines if the rule acts as a building block. If yes, the value must be `default`.\nBy default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts.\nFor more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html).\n","type":"string"},"Security_Detections_API_BulkActionEditPayload":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression"}]},"Security_Detections_API_BulkActionEditPayloadAlertSuppression":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold"},{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression"}]},"Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression":{"type":"object","properties":{"type":{"enum":["delete_alert_suppression"],"type":"string"}},"required":["type"]},"Security_Detections_API_BulkActionEditPayloadIndexPatterns":{"description":"Edits index patterns of rulesClient.\n\n- `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made.\n- `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made.\n- `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.\n","type":"object","properties":{"overwrite_data_views":{"description":"Resets the data view for the rule.","type":"boolean"},"type":{"enum":["add_index_patterns","delete_index_patterns","set_index_patterns"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadInvestigationFields":{"description":"Edits investigation fields of rules.\n\n- `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made.\n- `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made.\n- `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made.\n","type":"object","properties":{"type":{"enum":["add_investigation_fields","delete_investigation_fields","set_investigation_fields"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadRuleActions":{"description":"Edits rule actions of rules.\n\n- `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID.\n- `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs.\n","type":"object","properties":{"type":{"enum":["add_rule_actions","set_rule_actions"],"type":"string"},"value":{"type":"object","properties":{"actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_NormalizedRuleAction"},"type":"array"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_ThrottleForBulkActions"}},"required":["actions"]}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSchedule":{"description":"Overwrites schedule of rules. \n\n- `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made.\n\nBoth `interval` and `lookback` have a format of \"{integer}{time_unit}\", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: \"45s\", \"30m\", \"6h\"\n","type":"object","properties":{"type":{"enum":["set_schedule"],"type":"string"},"value":{"type":"object","properties":{"interval":{"description":"Interval in which the rule runs. For example, `\"1h\"` means the rule runs every hour.","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"},"lookback":{"description":"Lookback time for the rules.\n\nAdditional look-back time that the rule analyzes. For example, \"10m\" means the rule analyzes the last 10 minutes of data in addition to the frequency interval.\n","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"}},"required":["interval","lookback"]}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSetAlertSuppression":{"type":"object","properties":{"type":{"enum":["set_alert_suppression"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold":{"type":"object","properties":{"type":{"enum":["set_alert_suppression_for_threshold"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_ThresholdAlertSuppression"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadTags":{"description":"Edits tags of rules.\n\n- `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made.\n- `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made.\n- `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.\n","type":"object","properties":{"type":{"enum":["add_tags","delete_tags","set_tags"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadTimeline":{"description":"Edits timeline of rules.\n\n- `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made.\n","type":"object","properties":{"type":{"enum":["set_timeline"],"type":"string"},"value":{"type":"object","properties":{"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"}},"required":["timeline_id","timeline_title"]}},"required":["type","value"]},"Security_Detections_API_BulkActionsDryRunErrCode":{"enum":["IMMUTABLE","PREBUILT_CUSTOMIZATION_LICENSE","MACHINE_LEARNING_AUTH","MACHINE_LEARNING_INDEX_PATTERN","ESQL_INDEX_PATTERN","MANUAL_RULE_RUN_FEATURE","MANUAL_RULE_RUN_DISABLED_RULE","THRESHOLD_RULE_TYPE_IN_SUPPRESSION","UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD","RULE_FILL_GAPS_DISABLED_RULE"],"type":"string"},"Security_Detections_API_BulkActionSkipResult":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"skip_reason":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_BulkEditSkipReason"},{"$ref":"#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason"}]}},"required":["id","skip_reason"]},"Security_Detections_API_BulkDeleteRules":{"type":"object","properties":{"action":{"enum":["delete"],"type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkDisableRules":{"type":"object","properties":{"action":{"enum":["disable"],"type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkDuplicateRules":{"type":"object","properties":{"action":{"enum":["duplicate"],"type":"string"},"duplicate":{"description":"Duplicate object that describes applying an update action.","type":"object","properties":{"include_exceptions":{"description":"Whether to copy exceptions from the original rule","type":"boolean"},"include_expired_exceptions":{"description":"Whether to copy expired exceptions from the original rule","type":"boolean"}},"required":["include_exceptions","include_expired_exceptions"]},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkEditActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"items":{"$ref":"#/components/schemas/Security_Detections_API_NormalizedRuleError"},"type":"array"},"results":{"$ref":"#/components/schemas/Security_Detections_API_BulkEditActionResults"},"summary":{"$ref":"#/components/schemas/Security_Detections_API_BulkEditActionSummary"}},"required":["results","summary"]},"message":{"type":"string"},"rules_count":{"type":"integer"},"status_code":{"type":"integer"},"success":{"type":"boolean"}},"required":["attributes"]},"Security_Detections_API_BulkEditActionResults":{"type":"object","properties":{"created":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"},"type":"array"},"deleted":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"},"type":"array"},"skipped":{"items":{"$ref":"#/components/schemas/Security_Detections_API_BulkActionSkipResult"},"type":"array"},"updated":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_Detections_API_BulkEditActionSummary":{"description":"A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`.","type":"object","properties":{"failed":{"type":"integer"},"skipped":{"type":"integer"},"succeeded":{"type":"integer"},"total":{"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_Detections_API_BulkEditRules":{"type":"object","properties":{"action":{"enum":["edit"],"type":"string"},"edit":{"description":"Array of objects containing the edit operations","items":{"$ref":"#/components/schemas/Security_Detections_API_BulkActionEditPayload"},"minItems":1,"type":"array"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action","edit"]},"Security_Detections_API_BulkEditSkipReason":{"enum":["RULE_NOT_MODIFIED"],"type":"string"},"Security_Detections_API_BulkEnableRules":{"type":"object","properties":{"action":{"enum":["enable"],"type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkExportActionResponse":{"type":"string"},"Security_Detections_API_BulkExportRules":{"type":"object","properties":{"action":{"enum":["export"],"type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkGapsFillingSkipReason":{"enum":["NO_GAPS_TO_FILL"],"type":"string"},"Security_Detections_API_BulkManualRuleFillGaps":{"type":"object","properties":{"action":{"enum":["fill_gaps"],"type":"string"},"fill_gaps":{"description":"Object that describes applying a manual gap fill action for the specified time range.","type":"object","properties":{"end_date":{"description":"End date of the manual gap fill","type":"string"},"start_date":{"description":"Start date of the manual gap fill","type":"string"}},"required":["start_date","end_date"]},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action","fill_gaps"]},"Security_Detections_API_BulkManualRuleRun":{"type":"object","properties":{"action":{"enum":["run"],"type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#/components/schemas/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"},"run":{"description":"Object that describes applying a manual rule run action.","type":"object","properties":{"end_date":{"description":"End date of the manual rule run","type":"string"},"start_date":{"description":"Start date of the manual rule run","type":"string"}},"required":["start_date","end_date"]}},"required":["action","run"]},"Security_Detections_API_CloseAlertsByIds":{"type":"object","properties":{"reason":{"$ref":"#/components/schemas/Security_Detections_API_ReasonEnum"},"signal_ids":{"description":"List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"status":{"enum":["closed"],"type":"string"}},"required":["signal_ids","status"]},"Security_Detections_API_CloseAlertsByQuery":{"type":"object","properties":{"conflicts":{"default":"abort","enum":["abort","proceed"],"type":"string"},"query":{"additionalProperties":true,"type":"object"},"reason":{"$ref":"#/components/schemas/Security_Detections_API_ReasonEnum"},"status":{"enum":["closed"],"type":"string"}},"required":["query","status"]},"Security_Detections_API_ConcurrentSearches":{"minimum":1,"type":"integer"},"Security_Detections_API_DataViewId":{"type":"string"},"Security_Detections_API_DefaultParams":{"type":"object","properties":{"command":{"enum":["isolate"],"type":"string"},"comment":{"type":"string"}},"required":["command"]},"Security_Detections_API_EcsMapping":{"additionalProperties":{"type":"object","properties":{"field":{"type":"string"},"value":{"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]}}},"description":"Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: \"ecs_mapping\": {\"process.pid\": {\"field\": \"pid\"}}","type":"object"},"Security_Detections_API_EndpointResponseAction":{"type":"object","properties":{"action_type_id":{"enum":[".endpoint"],"type":"string"},"params":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_DefaultParams"},{"$ref":"#/components/schemas/Security_Detections_API_ProcessesParams"}]}},"required":["action_type_id","params"]},"Security_Detections_API_EqlOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"event_category_override":{"$ref":"#/components/schemas/Security_Detections_API_EventCategoryOverride"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"},"tiebreaker_field":{"$ref":"#/components/schemas/Security_Detections_API_TiebreakerField"},"timestamp_field":{"$ref":"#/components/schemas/Security_Detections_API_TimestampField"}}},"Security_Detections_API_EqlQueryLanguage":{"enum":["eql"],"type":"string"},"Security_Detections_API_EqlRequiredFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_EqlQueryLanguage","description":"Query language to use"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["eql"],"type":"string"}},"required":["type","query","language"]},"Security_Detections_API_EqlRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleResponseFields"}]},"Security_Detections_API_EqlRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleCreateFields"}]},"Security_Detections_API_EqlRulePatchFields":{"allOf":[{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_EqlQueryLanguage","description":"Query language to use"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["eql"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_EqlRulePatchFields"}]},"Security_Detections_API_EqlRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleCreateFields"}]},"Security_Detections_API_ErrorSchema":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"minimum":400,"type":"integer"}},"required":["status_code","message"]},"id":{"type":"string"},"item_id":{"minLength":1,"type":"string"},"list_id":{"minLength":1,"type":"string"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"}},"required":["error"]},"Security_Detections_API_EsqlQueryLanguage":{"enum":["esql"],"type":"string"},"Security_Detections_API_EsqlRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleResponseFields"}]},"Security_Detections_API_EsqlRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields"}]},"Security_Detections_API_EsqlRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleCreateFields"}]},"Security_Detections_API_EsqlRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"}}},"Security_Detections_API_EsqlRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"language":{"$ref":"#/components/schemas/Security_Detections_API_EsqlQueryLanguage"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"type":{"description":"Rule type","enum":["esql"],"type":"string"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields"}]},"Security_Detections_API_EsqlRuleRequiredFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_EsqlQueryLanguage"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["esql"],"type":"string"}},"required":["type","language","query"]},"Security_Detections_API_EsqlRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields"}]},"Security_Detections_API_EsqlRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleCreateFields"}]},"Security_Detections_API_EventCategoryOverride":{"type":"string"},"Security_Detections_API_ExceptionListType":{"description":"The exception type","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Detections_API_ExternalRuleCustomizedFields":{"description":"An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array.","items":{"type":"object","properties":{"field_name":{"description":"Name of a user-modified field in the rule object.","type":"string"}},"required":["field_name"]},"type":"array"},"Security_Detections_API_ExternalRuleHasBaseVersion":{"description":"Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`).","type":"boolean"},"Security_Detections_API_ExternalRuleSource":{"description":"Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.","type":"object","properties":{"customized_fields":{"$ref":"#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields"},"has_base_version":{"$ref":"#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion"},"is_customized":{"$ref":"#/components/schemas/Security_Detections_API_IsExternalRuleCustomized"},"type":{"enum":["external"],"type":"string"}},"required":["type","is_customized","has_base_version","customized_fields"]},"Security_Detections_API_FindRulesSortField":{"enum":["created_at","createdAt","enabled","execution_summary.last_execution.date","execution_summary.last_execution.metrics.execution_gap_duration_s","execution_summary.last_execution.metrics.total_indexing_duration_ms","execution_summary.last_execution.metrics.total_search_duration_ms","execution_summary.last_execution.status","name","risk_score","riskScore","severity","updated_at","updatedAt"],"type":"string"},"Security_Detections_API_GapFillStatus":{"enum":["unfilled","in_progress","filled"],"type":"string"},"Security_Detections_API_HistoryWindowStart":{"description":"Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_IndexMigrationStatus":{"type":"object","properties":{"index":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"is_outdated":{"type":"boolean"},"migrations":{"items":{"$ref":"#/components/schemas/Security_Detections_API_MigrationStatus"},"type":"array"},"signal_versions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_AlertVersion"},"type":"array"},"version":{"type":"integer"}},"required":["index","version","signal_versions","migrations","is_outdated"]},"Security_Detections_API_IndexPatternArray":{"description":"Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`).\n\u003e info\n\u003e This field is not supported for ES|QL rules.\n","items":{"type":"string"},"type":"array"},"Security_Detections_API_InternalRuleSource":{"description":"Type of rule source for internally sourced rules, i.e. created within the Kibana apps.","type":"object","properties":{"type":{"enum":["internal"],"type":"string"}},"required":["type"]},"Security_Detections_API_InvestigationFields":{"description":"Schema for fields relating to investigation fields. These are user defined fields we use to highlight\nin various features in the UI such as alert details flyout and exceptions auto-population from alert.\n","type":"object","properties":{"field_names":{"items":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["field_names"]},"Security_Detections_API_InvestigationGuide":{"description":"Notes to help investigate alerts produced by the rule.","type":"string"},"Security_Detections_API_IsExternalRuleCustomized":{"description":"Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).","type":"boolean"},"Security_Detections_API_IsRuleEnabled":{"description":"Determines whether the rule is enabled. Defaults to true.","type":"boolean"},"Security_Detections_API_IsRuleImmutable":{"deprecated":true,"description":"This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field.","type":"boolean"},"Security_Detections_API_ItemsPerSearch":{"minimum":1,"type":"integer"},"Security_Detections_API_KqlQueryLanguage":{"enum":["kuery","lucene"],"type":"string"},"Security_Detections_API_MachineLearningJobId":{"description":"Machine learning job ID(s) the rule monitors for anomaly scores.","oneOf":[{"type":"string"},{"items":{"type":"string"},"minItems":1,"type":"array"}]},"Security_Detections_API_MachineLearningRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields"}]},"Security_Detections_API_MachineLearningRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields"}]},"Security_Detections_API_MachineLearningRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"}}},"Security_Detections_API_MachineLearningRulePatchFields":{"allOf":[{"type":"object","properties":{"anomaly_threshold":{"$ref":"#/components/schemas/Security_Detections_API_AnomalyThreshold"},"machine_learning_job_id":{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningJobId"},"type":{"description":"Rule type","enum":["machine_learning"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields"}]},"Security_Detections_API_MachineLearningRuleRequiredFields":{"type":"object","properties":{"anomaly_threshold":{"$ref":"#/components/schemas/Security_Detections_API_AnomalyThreshold"},"machine_learning_job_id":{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningJobId"},"type":{"description":"Rule type","enum":["machine_learning"],"type":"string"}},"required":["type","machine_learning_job_id","anomaly_threshold"]},"Security_Detections_API_MachineLearningRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields"}]},"Security_Detections_API_MaxSignals":{"default":100,"description":"Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value).\n\u003e info\n\u003e This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.\n","minimum":1,"type":"integer"},"Security_Detections_API_MigrationCleanupResult":{"type":"object","properties":{"destinationIndex":{"type":"string"},"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["message","status_code"]},"id":{"type":"string"},"sourceIndex":{"type":"string"},"status":{"enum":["success","failure","pending"],"type":"string"},"updated":{"format":"date-time","type":"string"},"version":{"type":"string"}},"required":["id","destinationIndex","status","sourceIndex","version","updated"]},"Security_Detections_API_MigrationFinalizationResult":{"type":"object","properties":{"completed":{"type":"boolean"},"destinationIndex":{"type":"string"},"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["message","status_code"]},"id":{"type":"string"},"sourceIndex":{"type":"string"},"status":{"enum":["success","failure","pending"],"type":"string"},"updated":{"format":"date-time","type":"string"},"version":{"type":"string"}},"required":["id","completed","destinationIndex","status","sourceIndex","version","updated"]},"Security_Detections_API_MigrationStatus":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"status":{"enum":["success","failure","pending"],"type":"string"},"updated":{"format":"date-time","type":"string"},"version":{"type":"integer"}},"required":["id","status","version","updated"]},"Security_Detections_API_NewTermsFields":{"description":"Fields to monitor for new values.","items":{"type":"string"},"maxItems":3,"minItems":1,"type":"array"},"Security_Detections_API_NewTermsRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields"}]},"Security_Detections_API_NewTermsRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields"}]},"Security_Detections_API_NewTermsRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields"}]},"Security_Detections_API_NewTermsRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_NewTermsRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"}}},"Security_Detections_API_NewTermsRulePatchFields":{"allOf":[{"type":"object","properties":{"history_window_start":{"$ref":"#/components/schemas/Security_Detections_API_HistoryWindowStart"},"new_terms_fields":{"$ref":"#/components/schemas/Security_Detections_API_NewTermsFields"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["new_terms"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields"}]},"Security_Detections_API_NewTermsRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRulePatchFields"}]},"Security_Detections_API_NewTermsRuleRequiredFields":{"type":"object","properties":{"history_window_start":{"$ref":"#/components/schemas/Security_Detections_API_HistoryWindowStart"},"new_terms_fields":{"$ref":"#/components/schemas/Security_Detections_API_NewTermsFields"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["new_terms"],"type":"string"}},"required":["type","query","new_terms_fields","history_window_start"]},"Security_Detections_API_NewTermsRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_NewTermsRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields"}]},"Security_Detections_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_NormalizedRuleAction":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionAlertsFilter"},"frequency":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionFrequency"},"group":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionGroup"},"id":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionId"},"params":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionParams"}},"required":["id","params"]},"Security_Detections_API_NormalizedRuleError":{"type":"object","properties":{"err_code":{"$ref":"#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode"},"message":{"type":"string"},"rules":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleDetailsInError"},"type":"array"},"status_code":{"type":"integer"}},"required":["message","status_code","rules"]},"Security_Detections_API_OsqueryParams":{"type":"object","properties":{"ecs_mapping":{"$ref":"#/components/schemas/Security_Detections_API_EcsMapping"},"pack_id":{"description":"To specify a query pack, use the packId field. Example: \"packId\": \"processes_elastic\"","type":"string"},"queries":{"items":{"$ref":"#/components/schemas/Security_Detections_API_OsqueryQuery"},"type":"array"},"query":{"description":"To run a single query, use the query field and enter a SQL query. Example: \"query\": \"SELECT * FROM processes;\"","type":"string"},"saved_query_id":{"description":"To run a saved query, use the saved_query_id field and specify the saved query ID. Example: \"saved_query_id\": \"processes_elastic\"","type":"string"},"timeout":{"description":"A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: \"timeout\": 120.","type":"number"}}},"Security_Detections_API_OsqueryQuery":{"type":"object","properties":{"ecs_mapping":{"$ref":"#/components/schemas/Security_Detections_API_EcsMapping"},"id":{"description":"Query ID","type":"string"},"platform":{"type":"string"},"query":{"description":"Query to run","type":"string"},"removed":{"type":"boolean"},"snapshot":{"type":"boolean"},"version":{"description":"Query version","type":"string"}},"required":["id","query"]},"Security_Detections_API_OsqueryResponseAction":{"type":"object","properties":{"action_type_id":{"enum":[".osquery"],"type":"string"},"params":{"$ref":"#/components/schemas/Security_Detections_API_OsqueryParams"}},"required":["action_type_id","params"]},"Security_Detections_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Detections_API_ProcessesParams":{"type":"object","properties":{"command":{"description":"To run an endpoint response action, specify a value for the command field. Example: \"command\": \"isolate\"","enum":["kill-process","suspend-process"],"type":"string"},"comment":{"description":"Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: \"comment\": \"Check processes\"","type":"string"},"config":{"type":"object","properties":{"field":{"description":"Field to use instead of process.pid","type":"string"},"overwrite":{"default":true,"description":"Whether to overwrite field with process.pid","type":"boolean"}},"required":["field"]}},"required":["command","config"]},"Security_Detections_API_QueryAlertsBodyParams":{"type":"object","properties":{"_source":{"oneOf":[{"type":"boolean"},{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"aggs":{"additionalProperties":true,"type":"object"},"fields":{"items":{"type":"string"},"type":"array"},"query":{"additionalProperties":true,"type":"object"},"runtime_mappings":{"additionalProperties":true,"type":"object"},"size":{"minimum":0,"type":"integer"},"sort":{"$ref":"#/components/schemas/Security_Detections_API_AlertsSort"},"track_total_hits":{"type":"boolean"}}},"Security_Detections_API_QueryRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleResponseFields"}]},"Security_Detections_API_QueryRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields"}]},"Security_Detections_API_QueryRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleCreateFields"}]},"Security_Detections_API_QueryRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"}}},"Security_Detections_API_QueryRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"},"saved_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryId"}}},"Security_Detections_API_QueryRulePatchFields":{"allOf":[{"type":"object","properties":{"type":{"description":"Rule type","enum":["query"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields"}]},"Security_Detections_API_QueryRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_QueryRulePatchFields"}]},"Security_Detections_API_QueryRuleRequiredFields":{"type":"object","properties":{"type":{"description":"Rule type","enum":["query"],"type":"string"}},"required":["type"]},"Security_Detections_API_QueryRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"}},"required":["query","language"]}]},"Security_Detections_API_QueryRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleCreateFields"}]},"Security_Detections_API_ReasonEnum":{"description":"The reason for closing the alerts","enum":["false_positive","duplicate","true_positive","benign_positive","automated_closure","other"],"type":"string"},"Security_Detections_API_RelatedIntegration":{"description":"Related integration is a potential dependency of a rule. It's assumed that if the user installs\none of the related integrations of a rule, the rule might start to work properly because it will\nhave source events (generated by this integration) potentially matching the rule's query.\n\nNOTE: Proper work is not guaranteed, because a related integration, if installed, can be\nconfigured differently or generate data that is not necessarily relevant for this rule.\n\nRelated integration is a combination of a Fleet package and (optionally) one of the\npackage's \"integrations\" that this package contains. It is represented by 3 properties:\n\n- `package`: name of the package (required, unique id)\n- `version`: version of the package (required, semver-compatible)\n- `integration`: name of the integration of this package (optional, id within the package)\n\nThere are Fleet packages like `windows` that contain only one integration; in this case,\n`integration` should be unspecified. There are also packages like `aws` and `azure` that contain\nseveral integrations; in this case, `integration` should be specified.\n","example":{"integration":"activitylogs","package":"azure","version":"~1.1.6"},"type":"object","properties":{"integration":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"package":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"version":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"}},"required":["package","version"]},"Security_Detections_API_RelatedIntegrationArray":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegration"},"type":"array"},"Security_Detections_API_RequiredField":{"description":"Describes an Elasticsearch field that is needed for the rule to function.\n\nAlmost all types of Security rules check source event documents for a match to some kind of\nquery or filter. If a document has certain field with certain values, then it's a match and\nthe rule will generate an alert.\n\nRequired field is an event field that must be present in the source indices of a given rule.\n\n@example\nconst standardEcsField: RequiredField = {\n  name: 'event.action',\n  type: 'keyword',\n  ecs: true,\n};\n\n@example\nconst nonEcsField: RequiredField = {\n  name: 'winlog.event_data.AttributeLDAPDisplayName',\n  type: 'keyword',\n  ecs: false,\n};\n","type":"object","properties":{"ecs":{"description":"Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type.","type":"boolean"},"name":{"description":"Name of an Elasticsearch field","format":"nonempty","minLength":1,"type":"string"},"type":{"description":"Type of the Elasticsearch field","format":"nonempty","minLength":1,"type":"string"}},"required":["name","type","ecs"]},"Security_Detections_API_RequiredFieldArray":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredField"},"type":"array"},"Security_Detections_API_RequiredFieldInput":{"description":"Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type.","type":"object","properties":{"name":{"description":"Name of an Elasticsearch field","format":"nonempty","minLength":1,"type":"string"},"type":{"description":"Type of the Elasticsearch field","format":"nonempty","minLength":1,"type":"string"}},"required":["name","type"]},"Security_Detections_API_ResponseAction":{"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_OsqueryResponseAction"},{"$ref":"#/components/schemas/Security_Detections_API_EndpointResponseAction"}]},"Security_Detections_API_ResponseFields":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"type":"string"},"execution_summary":{"$ref":"#/components/schemas/Security_Detections_API_RuleExecutionSummary"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"immutable":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleImmutable"},"required_fields":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldArray"},"revision":{"$ref":"#/components/schemas/Security_Detections_API_RuleRevision"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_source":{"$ref":"#/components/schemas/Security_Detections_API_RuleSource"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"type":"string"}},"required":["id","rule_id","immutable","rule_source","updated_at","updated_by","created_at","created_by","revision","related_integrations","required_fields"]},"Security_Detections_API_RiskScore":{"description":"A numerical representation of the alert's severity from 0 to 100, where:\n* `0` - `21` represents low severity\n* `22` - `47` represents medium severity\n* `48` - `73` represents high severity\n* `74` - `100` represents critical severity\n","maximum":100,"minimum":0,"type":"integer"},"Security_Detections_API_RiskScoreMapping":{"description":"Overrides generated alerts' risk_score with a value from the source event","items":{"type":"object","properties":{"field":{"description":"Source event field used to override the default `risk_score`.","type":"string"},"operator":{"enum":["equals"],"type":"string"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"value":{"type":"string"}},"required":["field","operator","value"]},"type":"array"},"Security_Detections_API_RuleAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications, can be:\n\n  - `.slack`\n  - `.slack_api`\n  - `.email`\n  - `.index`\n  - `.pagerduty`\n  - `.swimlane`\n  - `.webhook`\n  - `.servicenow`\n  - `.servicenow-itom`\n  - `.servicenow-sir`\n  - `.jira`\n  - `.resilient`\n  - `.opsgenie`\n  - `.teams`\n  - `.torq`\n  - `.tines`\n  - `.d3security`\n","type":"string"},"alerts_filter":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionAlertsFilter"},"frequency":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionFrequency"},"group":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionGroup"},"id":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionId"},"params":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionParams"},"uuid":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"}},"required":["action_type_id","id","params"]},"Security_Detections_API_RuleActionAlertsFilter":{"additionalProperties":true,"description":"Object containing an action’s conditional filters.\n\n- `timeframe` (object, optional): Object containing the time frame for when this action can be run.\n    - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array.\n    - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day.\n        - start (string, required): Start time in `hh:mm` format.\n        - end (string, required): End time in `hh:mm` format.\n    - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST.\n- `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.\n    - `kql` (string, required): A KQL string.\n    - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.\n","type":"object"},"Security_Detections_API_RuleActionFrequency":{"description":"The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).","type":"object","properties":{"notifyWhen":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionNotifyWhen"},"summary":{"description":"Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert","type":"boolean"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle","nullable":true}},"required":["summary","notifyWhen","throttle"]},"Security_Detections_API_RuleActionGroup":{"description":"Optionally groups actions by use cases. Use `default` for alert notifications.","type":"string"},"Security_Detections_API_RuleActionId":{"description":"The connector ID.","type":"string"},"Security_Detections_API_RuleActionNotifyWhen":{"description":"Defines how often rules run actions.","enum":["onActiveAlert","onThrottleInterval","onActionGroupChange"],"type":"string"},"Security_Detections_API_RuleActionParams":{"additionalProperties":true,"description":"Object containing the allowed connector fields, which varies according to the connector type.\n\nFor Slack:\n\n  - `message` (string, required): The notification message.\n\nFor email:\n\n  - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value.\n  - `subject` (string, optional): Email subject line.\n  - `message` (string, required): Email body text.\n\nFor Webhook:\n\n  - `body` (string, required): JSON payload.\n\nFor PagerDuty:\n\n  - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`.\n  - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`.\n  - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert.\n  - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime).\n  - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`.\n  - `group` (string, optional): Enables logical grouping of service components.\n  - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.\n  - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters.\n  - `class` (string, optional): Value indicating the class/type of the event.\n","type":"object"},"Security_Detections_API_RuleActionThrottle":{"description":"Defines how often rule actions are taken.","oneOf":[{"enum":["no_actions","rule"],"type":"string"},{"description":"Time interval in seconds, minutes, hours, or days.","example":"1h","pattern":"^[1-9]\\d*[smhd]$","type":"string"}]},"Security_Detections_API_RuleAuthorArray":{"description":"The rule’s author.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleCreateProps":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleCreateProps"}],"discriminator":{"propertyName":"type"}},"Security_Detections_API_RuleDescription":{"description":"The rule’s description.","example":"Detects anomalous Windows process creation events.","minLength":1,"type":"string"},"Security_Detections_API_RuleDetailsInError":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id"]},"Security_Detections_API_RuleExceptionList":{"description":"Array of [exception containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), which define exceptions that prevent the rule from generating alerts even when its other criteria are met.\n","type":"object","properties":{"id":{"description":"ID of the exception container","format":"nonempty","minLength":1,"type":"string"},"list_id":{"description":"List ID of the exception container","format":"nonempty","minLength":1,"type":"string"},"namespace_type":{"description":"Determines the exceptions validity in rule's Kibana space","enum":["agnostic","single"],"type":"string"},"type":{"$ref":"#/components/schemas/Security_Detections_API_ExceptionListType"}},"required":["id","list_id","type","namespace_type"]},"Security_Detections_API_RuleExecutionMetrics":{"type":"object","properties":{"execution_gap_duration_s":{"description":"Duration in seconds of execution gap","minimum":0,"type":"integer"},"frozen_indices_queried_count":{"description":"Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter.","minimum":0,"type":"integer"},"gap_range":{"description":"Range of the execution gap","type":"object","properties":{"gte":{"description":"Start date of the execution gap","type":"string"},"lte":{"description":"End date of the execution gap","type":"string"}},"required":["gte","lte"]},"total_enrichment_duration_ms":{"description":"Total time spent enriching documents during current rule execution cycle","minimum":0,"type":"integer"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during current rule execution cycle","minimum":0,"type":"integer"},"total_search_duration_ms":{"description":"Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response","minimum":0,"type":"integer"}}},"Security_Detections_API_RuleExecutionStatus":{"description":"Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule.\n- going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes.\n- running - Rule execution started but not reached any intermediate or final status.\n- partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist.\n- failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function.\n- succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's \"health\". The rule might or might not generate any alerts despite of it.","enum":["going to run","running","partial failure","failed","succeeded"],"type":"string"},"Security_Detections_API_RuleExecutionStatusOrder":{"type":"integer"},"Security_Detections_API_RuleExecutionSummary":{"description":"Summary of the last execution of a rule.\n\u003e info\n\u003e This field is under development and its usage or schema may change\n","type":"object","properties":{"last_execution":{"type":"object","properties":{"date":{"description":"Date of the last execution","format":"date-time","type":"string"},"message":{"type":"string"},"metrics":{"$ref":"#/components/schemas/Security_Detections_API_RuleExecutionMetrics"},"status":{"$ref":"#/components/schemas/Security_Detections_API_RuleExecutionStatus","description":"Status of the last execution"},"status_order":{"$ref":"#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder"}},"required":["date","status","status_order","message","metrics"]}},"required":["last_execution"]},"Security_Detections_API_RuleFalsePositiveArray":{"description":"String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleFilterArray":{"description":"The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.\n\u003e info\n\u003e This field is not supported for ES|QL rules.\n","items":{},"type":"array"},"Security_Detections_API_RuleInterval":{"description":"Frequency of rule execution, using a date math range. For example, \"1h\" means the rule runs every hour. Defaults to 5m (5 minutes).","type":"string"},"Security_Detections_API_RuleIntervalFrom":{"description":"Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).","format":"date-math","type":"string"},"Security_Detections_API_RuleIntervalTo":{"type":"string"},"Security_Detections_API_RuleLicense":{"description":"The rule's license.","type":"string"},"Security_Detections_API_RuleMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the rule.\n\u003e info\n\u003e This field is overwritten when you save changes to the rule’s settings.\n","type":"object"},"Security_Detections_API_RuleName":{"description":"A human-readable name for the rule.","example":"Anomalous Windows Process Creation","minLength":1,"type":"string"},"Security_Detections_API_RuleNameOverride":{"description":"Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type.","type":"string"},"Security_Detections_API_RuleObjectId":{"$ref":"#/components/schemas/Security_Detections_API_UUID","description":"A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s."},"Security_Detections_API_RulePatchProps":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRulePatchProps"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRulePatchProps"}]},"Security_Detections_API_RulePreviewLoggedRequest":{"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"duration":{"type":"integer"},"request":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"request_type":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"}}},"Security_Detections_API_RulePreviewLogs":{"type":"object","properties":{"duration":{"description":"Execution duration in milliseconds","type":"integer"},"errors":{"items":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"type":"array"},"requests":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest"},"type":"array"},"startedAt":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"warnings":{"items":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"type":"array"}},"required":["errors","warnings","duration"]},"Security_Detections_API_RulePreviewParams":{"type":"object","properties":{"invocationCount":{"type":"integer"},"timeframeEnd":{"format":"date-time","type":"string"}},"required":["invocationCount","timeframeEnd"]},"Security_Detections_API_RuleQuery":{"description":"[Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts.\n\n- For indicator match rules, only the query’s results are used to determine whether an alert is generated.\n- ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information.\n","type":"string"},"Security_Detections_API_RuleReferenceArray":{"description":"Array containing notes about or references to relevant information about the rule. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleResponse":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRule"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRule"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRule"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRule"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRule"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRule"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRule"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRule"}],"discriminator":{"propertyName":"type"}},"Security_Detections_API_RuleRevision":{"description":"The rule's revision number.\n\nIt represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update.\n\u003e info\n\u003e Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.\n","minimum":0,"type":"integer"},"Security_Detections_API_RuleSignatureId":{"description":"A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s.","type":"string"},"Security_Detections_API_RuleSource":{"description":"Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.","discriminator":{"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_ExternalRuleSource"},{"$ref":"#/components/schemas/Security_Detections_API_InternalRuleSource"}]},"Security_Detections_API_RuleTagArray":{"description":"String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleUpdateProps":{"anyOf":[{"$ref":"#/components/schemas/Security_Detections_API_EqlRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_QueryRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps"},{"$ref":"#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps"}],"discriminator":{"propertyName":"type"}},"Security_Detections_API_RuleVersion":{"description":"The rule's version number.\n\n- For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). \n- For custom rules it is set to `1` when the rule is created. \n\u003e info\n\u003e It is not incremented on each update. Compare this to the `revision` field.\n","minimum":1,"type":"integer"},"Security_Detections_API_SavedObjectResolveAliasPurpose":{"enum":["savedObjectConversion","savedObjectImport"],"type":"string"},"Security_Detections_API_SavedObjectResolveAliasTargetId":{"type":"string"},"Security_Detections_API_SavedObjectResolveOutcome":{"enum":["exactMatch","aliasMatch","conflict"],"type":"string"},"Security_Detections_API_SavedQueryId":{"description":"Kibana [saved search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) used by the rule to create alerts.","type":"string"},"Security_Detections_API_SavedQueryRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields"}]},"Security_Detections_API_SavedQueryRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields"}]},"Security_Detections_API_SavedQueryRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields"}]},"Security_Detections_API_SavedQueryRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_SavedQueryRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"},"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"}}},"Security_Detections_API_SavedQueryRulePatchFields":{"allOf":[{"type":"object","properties":{"saved_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryId"},"type":{"description":"Rule type","enum":["saved_query"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields"}]},"Security_Detections_API_SavedQueryRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields"}]},"Security_Detections_API_SavedQueryRuleRequiredFields":{"type":"object","properties":{"saved_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryId"},"type":{"description":"Rule type","enum":["saved_query"],"type":"string"}},"required":["type","saved_id"]},"Security_Detections_API_SavedQueryRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_SavedQueryRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields"}]},"Security_Detections_API_SetAlertsStatusByIds":{"discriminator":{"mapping":{"closed":"#/components/schemas/Security_Detections_API_CloseAlertsByIds"},"propertyName":"status"},"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_CloseAlertsByIds"},{"$ref":"#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase"}]},"Security_Detections_API_SetAlertsStatusByIdsBase":{"type":"object","properties":{"signal_ids":{"description":"List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"status":{"$ref":"#/components/schemas/Security_Detections_API_AlertStatusExceptClosed"}},"required":["signal_ids","status"]},"Security_Detections_API_SetAlertsStatusByQuery":{"discriminator":{"mapping":{"closed":"#/components/schemas/Security_Detections_API_CloseAlertsByQuery"},"propertyName":"status"},"oneOf":[{"$ref":"#/components/schemas/Security_Detections_API_CloseAlertsByQuery"},{"$ref":"#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase"}]},"Security_Detections_API_SetAlertsStatusByQueryBase":{"type":"object","properties":{"conflicts":{"default":"abort","enum":["abort","proceed"],"type":"string"},"query":{"additionalProperties":true,"type":"object"},"status":{"$ref":"#/components/schemas/Security_Detections_API_AlertStatusExceptClosed"}},"required":["query","status"]},"Security_Detections_API_SetAlertTags":{"description":"Object with list of tags to add and remove.","type":"object","properties":{"tags_to_add":{"$ref":"#/components/schemas/Security_Detections_API_AlertTags"},"tags_to_remove":{"$ref":"#/components/schemas/Security_Detections_API_AlertTags"}},"required":["tags_to_add","tags_to_remove"]},"Security_Detections_API_SetupGuide":{"description":"Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.","type":"string"},"Security_Detections_API_Severity":{"description":"Severity level of alerts produced by the rule, which must be one of the following:\n* `low`: Alerts that are of interest but generally not considered to be security incidents\n* `medium`: Alerts that require investigation\n* `high`: Alerts that require immediate investigation\n* `critical`: Alerts that indicate it is highly likely a security incident has occurred\n","enum":["low","medium","high","critical"],"type":"string"},"Security_Detections_API_SeverityMapping":{"description":"Overrides generated alerts' severity with values from the source event","items":{"type":"object","properties":{"field":{"description":"Source event field used to override the default `severity`.","type":"string"},"operator":{"enum":["equals"],"type":"string"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"value":{"type":"string"}},"required":["field","operator","severity","value"]},"type":"array"},"Security_Detections_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Detections_API_SkippedAlertsIndexMigration":{"type":"object","properties":{"index":{"type":"string"}},"required":["index"]},"Security_Detections_API_SortOrder":{"enum":["asc","desc"],"type":"string"},"Security_Detections_API_Threat":{"description":"\u003e info\n\u003e Currently, only threats described using the MITRE ATT\u0026CK\u0026trade; framework are supported.\n","type":"object","properties":{"framework":{"description":"Relevant attack framework","type":"string"},"tactic":{"$ref":"#/components/schemas/Security_Detections_API_ThreatTactic"},"technique":{"description":"Array containing information on the attack techniques (optional)","items":{"$ref":"#/components/schemas/Security_Detections_API_ThreatTechnique"},"type":"array"}},"required":["framework","tactic"]},"Security_Detections_API_ThreatArray":{"items":{"$ref":"#/components/schemas/Security_Detections_API_Threat"},"type":"array"},"Security_Detections_API_ThreatFilters":{"items":{"description":"Query and filter context array used to filter documents from the Elasticsearch index containing the threat values"},"type":"array"},"Security_Detections_API_ThreatIndex":{"description":"Elasticsearch indices used to check which field values generate alerts.","items":{"type":"string"},"type":"array"},"Security_Detections_API_ThreatIndicatorPath":{"description":"Defines the path to the threat indicator in the indicator documents (optional)","type":"string"},"Security_Detections_API_ThreatMapping":{"description":"Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:\n\n- field: field from the event indices on which the rule runs\n- type: must be mapping\n- value: field from the Elasticsearch threat index\n  \nYou can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic.\n","items":{"type":"object","properties":{"entries":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ThreatMappingEntry"},"type":"array"}},"required":["entries"]},"minItems":1,"type":"array"},"Security_Detections_API_ThreatMappingEntry":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"},"negate":{"type":"boolean"},"type":{"enum":["mapping"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Detections_API_NonEmptyString"}},"required":["field","type","value"]},"Security_Detections_API_ThreatMatchRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields"}]},"Security_Detections_API_ThreatMatchRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields"}]},"Security_Detections_API_ThreatMatchRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields"}]},"Security_Detections_API_ThreatMatchRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThreatMatchRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppression"},"concurrent_searches":{"$ref":"#/components/schemas/Security_Detections_API_ConcurrentSearches"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"},"items_per_search":{"$ref":"#/components/schemas/Security_Detections_API_ItemsPerSearch"},"saved_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryId"},"threat_filters":{"$ref":"#/components/schemas/Security_Detections_API_ThreatFilters"},"threat_indicator_path":{"$ref":"#/components/schemas/Security_Detections_API_ThreatIndicatorPath"},"threat_language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThreatMatchRulePatchFields":{"allOf":[{"type":"object","properties":{"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"threat_index":{"$ref":"#/components/schemas/Security_Detections_API_ThreatIndex"},"threat_mapping":{"$ref":"#/components/schemas/Security_Detections_API_ThreatMapping"},"threat_query":{"$ref":"#/components/schemas/Security_Detections_API_ThreatQuery"},"type":{"description":"Rule type","enum":["threat_match"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields"}]},"Security_Detections_API_ThreatMatchRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields"}]},"Security_Detections_API_ThreatMatchRuleRequiredFields":{"type":"object","properties":{"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"threat_index":{"$ref":"#/components/schemas/Security_Detections_API_ThreatIndex"},"threat_mapping":{"$ref":"#/components/schemas/Security_Detections_API_ThreatMapping"},"threat_query":{"$ref":"#/components/schemas/Security_Detections_API_ThreatQuery"},"type":{"description":"Rule type","enum":["threat_match"],"type":"string"}},"required":["type","query","threat_query","threat_mapping","threat_index"]},"Security_Detections_API_ThreatMatchRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_ThreatMatchRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields"}]},"Security_Detections_API_ThreatQuery":{"description":"Query used to determine which fields in the Elasticsearch index are used for generating alerts.","type":"string"},"Security_Detections_API_ThreatSubtechnique":{"type":"object","properties":{"id":{"description":"Subtechnique ID","type":"string"},"name":{"description":"Subtechnique name","type":"string"},"reference":{"description":"Subtechnique reference","type":"string"}},"required":["id","name","reference"]},"Security_Detections_API_ThreatTactic":{"description":"Object containing information on the attack type\n","type":"object","properties":{"id":{"description":"Tactic ID","type":"string"},"name":{"description":"Tactic name","type":"string"},"reference":{"description":"Tactic reference","type":"string"}},"required":["id","name","reference"]},"Security_Detections_API_ThreatTechnique":{"type":"object","properties":{"id":{"description":"Technique ID","type":"string"},"name":{"description":"Technique name","type":"string"},"reference":{"description":"Technique reference","type":"string"},"subtechnique":{"description":"Array containing more specific information on the attack technique.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_ThreatSubtechnique"},"type":"array"}},"required":["id","name","reference"]},"Security_Detections_API_Threshold":{"type":"object","properties":{"cardinality":{"$ref":"#/components/schemas/Security_Detections_API_ThresholdCardinality"},"field":{"$ref":"#/components/schemas/Security_Detections_API_ThresholdField"},"value":{"$ref":"#/components/schemas/Security_Detections_API_ThresholdValue"}},"required":["field","value"]},"Security_Detections_API_ThresholdAlertSuppression":{"description":"Defines alert suppression configuration.","type":"object","properties":{"duration":{"$ref":"#/components/schemas/Security_Detections_API_AlertSuppressionDuration"}},"required":["duration"]},"Security_Detections_API_ThresholdCardinality":{"description":"The field on which the cardinality is applied.","items":{"type":"object","properties":{"field":{"description":"The field on which to calculate and compare the cardinality.","type":"string"},"value":{"description":"The threshold value from which an alert is generated based on unique number of values of cardinality.field.","minimum":0,"type":"integer"}},"required":["field","value"]},"type":"array"},"Security_Detections_API_ThresholdField":{"description":"The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.","oneOf":[{"type":"string"},{"items":{"type":"string"},"maxItems":5,"minItems":0,"type":"array"}]},"Security_Detections_API_ThresholdRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#/components/schemas/Security_Detections_API_ResponseFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields"}]},"Security_Detections_API_ThresholdRuleCreateFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields"}]},"Security_Detections_API_ThresholdRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields"}]},"Security_Detections_API_ThresholdRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThresholdRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#/components/schemas/Security_Detections_API_ThresholdAlertSuppression"},"data_view_id":{"$ref":"#/components/schemas/Security_Detections_API_DataViewId"},"filters":{"$ref":"#/components/schemas/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#/components/schemas/Security_Detections_API_IndexPatternArray"},"saved_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedQueryId"}}},"Security_Detections_API_ThresholdRulePatchFields":{"allOf":[{"type":"object","properties":{"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"threshold":{"$ref":"#/components/schemas/Security_Detections_API_Threshold"},"type":{"description":"Rule type","enum":["threshold"],"type":"string"}}},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields"}]},"Security_Detections_API_ThresholdRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}}},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRulePatchFields"}]},"Security_Detections_API_ThresholdRuleRequiredFields":{"type":"object","properties":{"query":{"$ref":"#/components/schemas/Security_Detections_API_RuleQuery"},"threshold":{"$ref":"#/components/schemas/Security_Detections_API_Threshold"},"type":{"description":"Rule type","enum":["threshold"],"type":"string"}},"required":["type","query","threshold"]},"Security_Detections_API_ThresholdRuleResponseFields":{"allOf":[{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields"},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#/components/schemas/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_ThresholdRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#/components/schemas/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#/components/schemas/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#/components/schemas/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#/components/schemas/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#/components/schemas/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#/components/schemas/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#/components/schemas/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#/components/schemas/Security_Detections_API_UUID"},"interval":{"$ref":"#/components/schemas/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#/components/schemas/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#/components/schemas/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#/components/schemas/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#/components/schemas/Security_Detections_API_RuleName"},"namespace":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#/components/schemas/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#/components/schemas/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#/components/schemas/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#/components/schemas/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n\u003e info\n\u003e The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#/components/schemas/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#/components/schemas/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#/components/schemas/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#/components/schemas/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#/components/schemas/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#/components/schemas/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#/components/schemas/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#/components/schemas/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#/components/schemas/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#/components/schemas/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#/components/schemas/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#/components/schemas/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#/components/schemas/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#/components/schemas/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#/components/schemas/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields"}]},"Security_Detections_API_ThresholdValue":{"description":"The threshold value from which an alert is generated.","minimum":1,"type":"integer"},"Security_Detections_API_ThrottleForBulkActions":{"description":"Defines the maximum interval in which a rule’s actions are executed.\n\u003e info\n\u003e The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months.\n\u003e In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field.\n","enum":["rule","1h","1d","7d"],"type":"string"},"Security_Detections_API_TiebreakerField":{"description":"Sets a secondary field for sorting events","type":"string"},"Security_Detections_API_TimelineTemplateId":{"description":"Timeline template ID","type":"string"},"Security_Detections_API_TimelineTemplateTitle":{"description":"Timeline template title","type":"string"},"Security_Detections_API_TimestampField":{"description":"Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.","type":"string"},"Security_Detections_API_TimestampOverride":{"description":"Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type.","type":"string"},"Security_Detections_API_TimestampOverrideFallbackDisabled":{"description":"Disables the fallback to the event's @timestamp field","type":"boolean"},"Security_Detections_API_UUID":{"description":"A universally unique identifier","format":"uuid","type":"string"},"Security_Detections_API_WarningSchema":{"type":"object","properties":{"actionPath":{"type":"string"},"buttonLabel":{"type":"string"},"message":{"type":"string"},"type":{"type":"string"}},"required":["type","message","actionPath"]},"Security_Endpoint_Exceptions_API_EndpointList":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList"},{"additionalProperties":false,"type":"object"}]},"Security_Endpoint_Exceptions_API_EndpointListItem":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem"},"Security_Endpoint_Exceptions_API_ExceptionList":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId"},"immutable":{"type":"boolean"},"list_id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"},"version":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion"}},"required":["id","list_id","type","name","description","immutable","namespace_type","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Endpoint_Exceptions_API_ExceptionListDescription":{"description":"Describes the exception list.","example":"This list tracks allowlisted values.","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListHumanId":{"description":"The exception list's human readable string identifier, `endpoint_list`.","example":"simple_list","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListId":{"description":"Exception list's identifier.","example":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItem":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"comments":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId"},"item_id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray"},"tags":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"}},"required":["id","item_id","list_id","type","name","description","entries","namespace_type","comments","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Endpoint_Exceptions_API_ExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["id","comment","created_at","created_by"]},"Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray":{"description":"Array of comment fields:\n\n- comment (string): Comments about the exception item.\n","items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemDescription":{"description":"Describes the exception list.","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemEntry":{"anyOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard"}],"discriminator":{"propertyName":"type"}},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["exists"],"type":"string"}},"required":["type","field","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryList":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"list":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ListId"},"type":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ListType"}},"required":["id","type"]},"operator":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["list"],"type":"string"}},"required":["type","field","list","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match_any"],"type":"string"},"value":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["wildcard"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested":{"type":"object","properties":{"entries":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem"},"minItems":1,"type":"array"},"field":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"type":{"enum":["nested"],"type":"string"}},"required":["type","field","entries"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists"}]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator":{"enum":["excluded","included"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime":{"description":"The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.","format":"date-time","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemHumanId":{"description":"Human readable string identifier, e.g. `trusted-linux-processes`","example":"simple_list_item","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemId":{"description":"Exception's identifier.","example":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemMeta":{"additionalProperties":true,"type":"object"},"Security_Endpoint_Exceptions_API_ExceptionListItemName":{"description":"Exception list name.","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemTags":{"items":{"description":"String array containing words and phrases to help categorize exception items.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemType":{"enum":["simple"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListMeta":{"additionalProperties":true,"description":"Placeholder for metadata about the list container.","type":"object"},"Security_Endpoint_Exceptions_API_ExceptionListName":{"description":"The name of the exception list.","example":"My exception list","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListOsType":{"description":"Use this field to specify the operating system.","enum":["linux","macos","windows"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray":{"description":"Use this field to specify the operating system. Only enter one value.","items":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListTags":{"description":"String array containing words and phrases to help categorize exception containers.","items":{"type":"string"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListType":{"description":"The type of exception list to be created. Different list types may denote where they can be utilized.","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListVersion":{"description":"The document version, automatically increasd on updates.","minimum":1,"type":"integer"},"Security_Endpoint_Exceptions_API_ExceptionNamespaceType":{"description":"Determines whether the exception container is available in all Kibana spaces or just the space\nin which it is created, where:\n\n- `single`: Only available in the Kibana space in which it is created.\n- `agnostic`: Available in all Kibana spaces.\n","enum":["agnostic","single"],"type":"string"},"Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter":{"$ref":"#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString"},"Security_Endpoint_Exceptions_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Endpoint_Exceptions_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Endpoint_Exceptions_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Endpoint_Management_API_ActionDetailsResponse":{"discriminator":{"mapping":{"cancel":"#/components/schemas/Security_Endpoint_Management_API_Cancel","execute":"#/components/schemas/Security_Endpoint_Management_API_Execute","get-file":"#/components/schemas/Security_Endpoint_Management_API_GetFile","isolate":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails","kill-process":"#/components/schemas/Security_Endpoint_Management_API_KillProcess","memory-dump":"#/components/schemas/Security_Endpoint_Management_API_MemoryDump","running-processes":"#/components/schemas/Security_Endpoint_Management_API_RunningProcesses","runscript":"#/components/schemas/Security_Endpoint_Management_API_Runscript","scan":"#/components/schemas/Security_Endpoint_Management_API_Scan","suspend-process":"#/components/schemas/Security_Endpoint_Management_API_SuspendProcess","unisolate":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails","upload":"#/components/schemas/Security_Endpoint_Management_API_Upload"},"propertyName":"command"},"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_KillProcess"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_GetFile"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Execute"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Runscript"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Upload"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Scan"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Cancel"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SuspendProcess"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunningProcesses"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_MemoryDump"}]},"Security_Endpoint_Management_API_ActionStateSuccessResponse":{"type":"object","properties":{"body":{"type":"object","properties":{"data":{"type":"object","properties":{"canEncrypt":{"type":"boolean"}}}},"required":["data"]}},"required":["body"]},"Security_Endpoint_Management_API_ActionStatusSuccessResponse":{"type":"object","properties":{"body":{"type":"object","properties":{"data":{"type":"object","properties":{"agent_id":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentId"},"pending_actions":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema"}},"required":["agent_id","pending_actions"]}},"required":["data"]}},"required":["body"]},"Security_Endpoint_Management_API_AgentId":{"description":"Agent ID","type":"string"},"Security_Endpoint_Management_API_AgentIds":{"description":"A list of agent IDs. Max of 50.","example":["agent-id-1","agent-id-2"],"minLength":1,"oneOf":[{"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Endpoint_Management_API_AgentTypes":{"description":"List of agent types to retrieve. Defaults to `endpoint`.","enum":["endpoint","sentinel_one","crowdstrike","microsoft_defender_endpoint"],"example":"endpoint","type":"string"},"Security_Endpoint_Management_API_ApiPageSize":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PageSize"},{"maximum":1000}]},"Security_Endpoint_Management_API_ApiSortField":{"description":"Determines which field is used to sort the results.","enum":["name","createdAt","createdBy","updatedAt","updatedBy"],"example":"updatedAt","type":"string"},"Security_Endpoint_Management_API_Cancel":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"}}}}},"type":"object"},"parameters":{"type":"object","properties":{"id":{"format":"uuid","type":"string"}}}}}]},"Security_Endpoint_Management_API_CancelRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"id":{"description":"ID of the response action to cancel","example":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d","minLength":1,"type":"string"}},"required":["id"]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_CloudFileScriptParameters":{"type":"object","properties":{"cloudFile":{"description":"Script name in cloud storage.","minLength":1,"type":"string"},"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["cloudFile"]},"Security_Endpoint_Management_API_Command":{"description":"The command for the response action","enum":["isolate","unisolate","kill-process","suspend-process","running-processes","get-file","execute","upload","scan","runscript","cancel"],"minLength":1,"type":"string"},"Security_Endpoint_Management_API_Commands":{"description":"A list of response action command names.","example":["isolate","unisolate"],"items":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Command"},"type":"array"},"Security_Endpoint_Management_API_Comment":{"description":"Optional comment","example":"This is a comment","type":"string"},"Security_Endpoint_Management_API_DownloadUri":{"type":"object","properties":{"downloadUri":{"description":"The server relative URI to download the file associated with the output of the response action.\nURI does **not** include the space prefix\n","example":"/api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download","format":"uri-reference","type":"string"}}},"Security_Endpoint_Management_API_EndDate":{"description":"An end date in ISO format or Date Math format.","example":"2023-10-31T23:59:59.999Z","type":"string"},"Security_Endpoint_Management_API_EndpointIds":{"description":"List of endpoint IDs (cannot contain empty strings)","example":["endpoint-id-1","endpoint-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"Security_Endpoint_Management_API_EndpointMetadataResponse":{"example":{"host_status":"healthy","last_checkin":"2023-07-04T15:48:57.360Z","metadata":{"@timestamp":"2023-07-04T15:48:57.3609346Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"abb8a826-6812-448c-a571-6d8269b51449","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"abb8a826-6812-448c-a571-6d8269b51449"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:48:57.3609346Z","dataset":"endpoint.metadata","id":"MNtRc++KoKHXXwlj+++++OhZ","ingested":"2023-07-04T15:48:58Z","kind":"metric","module":"endpoint","sequence":43757,"type":["info"]},"host":{"architecture":"x86_64","hostname":"WinDev2104Eval","id":"17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5","ip":["10.0.2.15","fe80::21a6:63d3:d70e:e3ad","127.0.0.1","::1"],"mac":["08:00:27:b1:1d:5a"],"name":"WinDev2104Eval","os":{"Ext":{"variant":"Windows 10 Enterprise Evaluation"},"family":"windows","full":"Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)","kernel":"20H2 (10.0.19042.906)","name":"Windows","platform":"windows","type":"windows","version":"20H2 (10.0.19042.906)"}},"message":"Endpoint metadata","policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}}},"type":"object","properties":{}},"Security_Endpoint_Management_API_EndpointScript":{"type":"object","properties":{"createdAt":{"format":"date-time","type":"string"},"createdBy":{"example":"elastic","type":"string"},"description":{"description":"Description of the script and its purpose/functionality","example":"Collects host data for investigation","type":"string"},"downloadUri":{"description":"URI to download the script file. Note that this is the relative path and does not include the space (if applicable)","example":"/api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download","type":"string"},"example":{"type":"string"},"fileHash":{"description":"SHA256 hash of the script file that was uploaded","example":"abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8","type":"string"},"fileName":{"description":"Name of the script file that was uploaded","example":"collect_host_data.sh","type":"string"},"fileSize":{"description":"Size of the script file that was uploaded in bytes","example":12345,"type":"integer"},"id":{"example":"123e4567-e89b-12d3-a456-426655440000","format":"uuid","type":"string"},"instructions":{"description":"Instructions for using the script, including details around its supported input arguments","type":"string"},"name":{"example":"Collect host data","type":"string"},"pathToExecutable":{"description":"The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example).\n","type":"string"},"platform":{"items":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform"},"type":"array"},"requiresInput":{"type":"boolean"},"updatedAt":{"format":"date-time","type":"string"},"updatedBy":{"example":"admin","type":"string"},"version":{"type":"string"}}},"Security_Endpoint_Management_API_EndpointScriptPlatform":{"enum":["linux","macos","windows"],"type":"string"},"Security_Endpoint_Management_API_Execute":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"cwd":{"type":"string"},"output_file_id":{"type":"string"},"output_file_stderr_truncated":{"type":"boolean"},"output_file_stdout_truncated":{"type":"boolean"},"shell_code":{"type":"number"},"stderr":{"type":"string"},"stderr_truncated":{"type":"boolean"},"stdout":{"type":"string"},"stdout_truncated":{"type":"boolean"}}}]}}},"type":"object"},"parameters":{"type":"object","properties":{"command":{"type":"string"},"timeout":{"type":"number"}}}}}]},"Security_Endpoint_Management_API_ExecuteRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"command":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Command"},"timeout":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Timeout"}},"required":["command"]}},"required":["parameters"]}],"example":{"comment":"Get list of all files","endpoint_ids":["b3d6de74-36b0-4fa8-be46-c375bf1771bf"],"parameters":{"command":"ls -al","timeout":600}}},"Security_Endpoint_Management_API_ExecuteRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"execute","comment":"Get list of all files","createdBy":"myuser","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"}},"id":"9f934028-2300-4927-b531-b26376793dc4","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"command":"ls -al","timeout":600},"startedAt":"2023-07-28T18:43:27.362Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{}},"Security_Endpoint_Management_API_GetEndpointActionListResponse":{"example":{"data":[{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"running-processes","completedAt":"2022-08-08T09:50:47.672Z","createdBy":"elastic","id":"b3d6de74-36b0-4fa8-be46-c375bf1771bf","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T15:24:57.402Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"isolate","completedAt":"2022-08-08T10:41:57.352Z","createdBy":"elastic","id":"43b4098b-8752-4fbb-a7a7-6df7c74d0ee3","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T15:23:37.359Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"kill-process","comment":"bad process - taking up too much cpu","completedAt":"2022-08-08T09:44:50.952Z","createdBy":"elastic","id":"5bc92c86-b8e6-42dd-837f-12ad29e09caa","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T14:38:44.125Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"unisolate","comment":"Not a threat to the network","completedAt":"2022-08-08T09:40:47.398Z","createdBy":"elastic","id":"790d54e0-3aa3-4e5b-8255-3ce9d851246a","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T14:38:15.391Z","wasSuccessful":true}],"elasticAgentIds":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"endDate":"now","page":1,"pageSize":10,"startDate":"now-24h/h","total":4},"type":"object","properties":{}},"Security_Endpoint_Management_API_GetFile":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"contents":{"items":{"type":"object","properties":{"file_name":{"type":"string"},"path":{"type":"string"},"sha256":{"type":"string"},"size":{"type":"number"},"type":{"type":"string"}}},"type":"array"},"zip_size":{"type":"number"}}}]}}},"type":"object"},"parameters":{"type":"object","properties":{"path":{"type":"string"}}}}}]},"Security_Endpoint_Management_API_GetFileRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"path":{"type":"string"}},"required":["path"]}},"required":["parameters"]}],"example":{"comment":"Get my file","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"path":"/usr/my-file.txt"}}},"Security_Endpoint_Management_API_GetFileRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"get-file","createdBy":"myuser","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"}},"id":"27ba1b42-7cc6-4e53-86ce-675c876092b2","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"path":"/usr/my-file.txt"},"startedAt":"2023-07-28T19:00:03.911Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{}},"Security_Endpoint_Management_API_GetProcessesRouteRequestBody":{"example":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]},"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},"Security_Endpoint_Management_API_GetProcessesRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentType":"endpoint","command":"running-processes","comment":"","completedAt":"2022-07-29T19:09:44.961Z","createdBy":"myuser","errors":[],"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":true,"isExpired":false,"outputs":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"content":{"key":"value"},"type":"json"}},"parameters":{},"startedAt":"2022-07-29T19:08:49.126Z","wasSuccessful":true}},"type":"object","properties":{}},"Security_Endpoint_Management_API_HostPathScriptParameters":{"type":"object","properties":{"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"hostPath":{"description":"Absolute or relative path of script on host machine.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["hostPath"]},"Security_Endpoint_Management_API_HostStatuses":{"description":"A set of agent health statuses to filter by.","example":["healthy","updating"],"items":{"enum":["healthy","offline","updating","inactive","unenrolled"],"type":"string"},"type":"array"},"Security_Endpoint_Management_API_Isolate":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},"Security_Endpoint_Management_API_IsolateRouteResponse":{"example":{"action":"233db9ea-6733-4849-9226-5a7039c7161d","data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentType":"endpoint","command":"suspend-process","comment":"suspend the process","completedAt":"2022-07-29T19:09:44.961Z","createdBy":"myuser","errors":[],"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":true,"isExpired":false,"outputs":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"content":{"key":"value"},"type":"json"}},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","wasSuccessful":true}},"type":"object","properties":{}},"Security_Endpoint_Management_API_KillProcess":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"pid":{"type":"number"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"entity_id":{"type":"string"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"process_name":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","minimum":1,"type":"number"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","minLength":1,"type":"string"}}},{"type":"object","properties":{"process_name":{"description":"The name of the process to terminate. Valid for SentinelOne agent type only.","type":"string"}}}]}}}]},"Security_Endpoint_Management_API_KillProcessRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","example":123,"minimum":1,"type":"integer"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","example":"abc123","minLength":1,"type":"string"}}},{"type":"object","properties":{"process_name":{"description":"The name of the process to terminate. Valid for SentinelOne agent type only.","example":"Elastic","minLength":1,"type":"string"}}}]}},"required":["parameters"]}],"example":{"comment":"terminate the process","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123"}}},"Security_Endpoint_Management_API_KillProcessRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentType":"endpoint","command":"kill-process","comment":"terminate the process","completedAt":"2022-07-29T19:09:44.961Z","createdBy":"myuser","errors":[],"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":true,"isExpired":false,"outputs":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"content":{"key":"value"},"type":"json"}},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","wasSuccessful":true}},"type":"object","properties":{}},"Security_Endpoint_Management_API_Kuery":{"description":"A KQL string.","example":"united.endpoint.host.os.name : 'Windows'","type":"string"},"Security_Endpoint_Management_API_MDERunScriptParameters":{"description":"Parameters for Run Script response action against Microsoft Defender Endpoint agent type.","example":{"agent_type":"microsoft_defender_endpoint","endpoint_ids":["endpoint-id-1"],"parameters":{"args":"-param1 value1 -param2 value2","scriptName":"my-script.ps1"}},"properties":{"args":{"description":"Optional command line arguments for the script.","minLength":1,"type":"string"},"scriptName":{"description":"The name of the script to execute from the cloud storage.","minLength":1,"type":"string"}},"required":["scriptName"],"title":"Microsoft Defender Endpoint Run Script Parameters","type":"object"},"Security_Endpoint_Management_API_MemoryDump":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"properties":{"code":{"type":"string"},"disk_free_space":{"description":"The free space on the host machine in bytes after the memory dump is written to disk","type":"number"},"file_size":{"description":"The size of the memory dump compressed file in bytes","type":"string"},"path":{"description":"The path to the memory dump compressed file on the host machine","type":"string"}},"title":"Memory dump output","type":"object"}}},"type":"object"},"parameters":{"oneOf":[{"properties":{"type":{"description":"Kernel level memory dump","enum":["kernel"],"type":"string"}},"required":["type"],"title":"Kernel memory dump","type":"object"},{"properties":{"pid":{"description":"The process ID (PID)","type":"number"},"type":{"description":"Process level memory dump using a process ID","enum":["process"],"type":"string"}},"required":["type","pid"],"title":"Process memory dump with PID","type":"object"},{"properties":{"entity_id":{"description":"The process entity ID","type":"string"},"type":{"description":"Process level memory dump using an entity ID","enum":["process"],"type":"string"}},"required":["type","entity_id"],"title":"Process memory dump with entity ID","type":"object"}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_MemoryDumpRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"description":"Dump the entire kernel memory.","type":"object","properties":{"type":{"enum":["kernel"],"type":"string"}},"required":["type"]},{"description":"Dump the entire memory of a process using the PID.","type":"object","properties":{"pid":{"type":"number"},"type":{"enum":["process"],"type":"string"}},"required":["type","pid"]},{"description":"Dump the entire memory of a process using the entity ID.","type":"object","properties":{"entity_id":{"type":"string"},"type":{"enum":["process"],"type":"string"}},"required":["type","entity_id"]}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_MetadataListResponse":{"example":{"data":[{"host_status":"healthy","last_checkin":"2023-07-04T15:47:57.432Z","metadata":{"@timestamp":"2023-07-04T15:47:57.432173535Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"285297c6-3bff-4b83-9a07-f3e749801123","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"285297c6-3bff-4b83-9a07-f3e749801123"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:47:57.432173535Z","dataset":"endpoint.metadata","id":"MNtSXK/SkhEBnmgt++++++7S","ingested":"2023-07-04T15:47:58Z","kind":"metric","module":"endpoint","sequence":400,"type":["info"]},"host":{"architecture":"x86_64","hostname":"david-Xubuntu","id":"0cfead88e2024bd8a27476352b5ab264","ip":["127.0.0.1","::1","10.0.2.15","fe80::2ac7:8e15:b957:2fa1"],"mac":["08:00:27:e6:78:8b"],"name":"david-Xubuntu","os":{"Ext":{"variant":"Ubuntu"},"family":"ubuntu","full":"Ubuntu 20.04.2","kernel":"5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021","name":"Linux","platform":"ubuntu","type":"linux","version":"20.04.2"}},"message":"Endpoint metadata"},"policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":0},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}},{"host_status":"healthy","last_checkin":"2023-07-04T15:44:31.491Z","metadata":{"@timestamp":"2023-07-04T15:44:31.4917849Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"abb8a826-6812-448c-a571-6d8269b51449","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"abb8a826-6812-448c-a571-6d8269b51449"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:44:31.4917849Z","dataset":"endpoint.metadata","id":"MNtRc++KoKHXXwlj+++++/N9","ingested":"2023-07-04T15:44:33Z","kind":"metric","module":"endpoint","sequence":5159,"type":["info"]},"host":{"architecture":"x86_64","hostname":"WinDev2104Eval","id":"17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5","ip":["10.0.2.15","fe80::21a6:63d3:d70e:e3ad","127.0.0.1","::1"],"mac":["08:00:27:b1:1d:5a"],"name":"WinDev2104Eval","os":{"Ext":{"variant":"Windows 10 Enterprise Evaluation"},"family":"windows","full":"Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)","kernel":"20H2 (10.0.19042.906)","name":"Windows","platform":"windows","type":"windows","version":"20H2 (10.0.19042.906)"}},"message":"Endpoint metadata"},"policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":0},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}}],"page":0,"pageSize":10,"sortDirection":"desc","sortField":"enrolled_at","total":2},"type":"object","properties":{}},"Security_Endpoint_Management_API_Page":{"default":1,"description":"Page number","example":1,"minimum":1,"type":"integer"},"Security_Endpoint_Management_API_PageSize":{"default":10,"description":"Number of items per page","example":10,"maximum":100,"minimum":1,"type":"integer"},"Security_Endpoint_Management_API_Parameters":{"description":"Optional parameters object","type":"object"},"Security_Endpoint_Management_API_PendingActionDataType":{"type":"integer"},"Security_Endpoint_Management_API_PendingActionsSchema":{"oneOf":[{"type":"object","properties":{"execute":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"get-file":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"isolate":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"kill-process":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"running-processes":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"scan":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"suspend-process":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"unisolate":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"},"upload":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType"}}},{"additionalProperties":true,"type":"object"}]},"Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse":{"type":"object","properties":{"note":{"type":"string"}}},"Security_Endpoint_Management_API_RawScriptParameters":{"type":"object","properties":{"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"raw":{"description":"Raw script content.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["raw"]},"Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"__agent__type__here_","command":"__command__name__here__","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{"data":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"}}},"Security_Endpoint_Management_API_ResponseActionDetails":{"type":"object","properties":{"agents":{"description":"The agent IDs for the hosts that the response action was sent to","items":{"format":"uuid","type":"string"},"type":"array"},"agentState":{"additionalProperties":{"format":"uuid","type":"object","properties":{"completedAt":{"description":"The date and time the response action was completed for the agent ID","type":"string"},"isCompleted":{"description":"Whether the response action is completed for the agent ID","type":"boolean"},"wasSuccessful":{"description":"Whether the response action was successful for the agent ID","type":"boolean"}}},"description":"The state of the response action for each agent ID that it was sent to","type":"object"},"agentType":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"command":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Command"},"completedAt":{"description":"The response action completion time","format":"date-time","type":"string"},"createdBy":{"description":"The user who created the response action","type":"string"},"hosts":{"additionalProperties":{"format":"uuid","type":"object","properties":{"name":{"description":"The host name","type":"string"}}},"description":"An object containing the host names associated with the agent IDs the response action was sent to","type":"object"},"id":{"description":"The response action ID","format":"uuid","type":"string"},"isComplete":{"description":"Whether the response action is complete","type":"boolean"},"isExpired":{"description":"Whether the response action is expired","type":"boolean"},"outputs":{"additionalProperties":{"description":"The agent id","format":"uuid","properties":{"content":{"description":"The response action output content for the agent ID. Exact format depends on the response action command.","oneOf":[{"type":"object"},{"type":"string"}]},"type":{"enum":["json","text"],"type":"string"}},"required":["type","content"],"title":"Agent ID","type":"object"},"description":"The outputs of the response action for each agent ID that it was sent to. Content different depending on the\nresponse action command and will only be present for agents that have responded to the response action\n","type":"object"},"parameters":{"description":"The parameters of the response action. Content different depending on the response action command","type":"object"},"startedAt":{"description":"The response action start time","format":"date-time","type":"string"},"status":{"description":"The response action status","type":"string"},"wasSuccessful":{"description":"Whether the response action was successful","type":"boolean"}},"required":["command"]},"Security_Endpoint_Management_API_RunningProcesses":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne"}]}}},"type":"object"}}}]},"Security_Endpoint_Management_API_RunningProcessesOutputEndpoint":{"description":"Processes output for `agentType` of `endpoint`","type":"object","properties":{"code":{"type":"string"},"entries":{"items":{"type":"object","properties":{"command":{"type":"string"},"entity_id":{"type":"string"},"pid":{"type":"number"},"user":{"type":"string"}}},"type":"array"}}},"Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_DownloadUri"},{"description":"Processes output for `agentType` of `sentinel_one`","type":"object","properties":{"code":{"type":"string"}}}]},"Security_Endpoint_Management_API_Runscript":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"stderr":{"type":"string"},"stdout":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne"}]}}}]},"Security_Endpoint_Management_API_RunscriptParamsCrowdStrike":{"type":"object","properties":{"cloudFile":{"type":"string"},"commandLine":{"type":"string"},"hostPath":{"type":"string"},"raw":{"type":"string"},"timeout":{"type":"number"}}},"Security_Endpoint_Management_API_RunscriptParamsMicrosoft":{"type":"object","properties":{"args":{"type":"string"},"scriptName":{"type":"string"}}},"Security_Endpoint_Management_API_RunscriptParamsSentinelOne":{"type":"object","properties":{"scriptId":{"type":"string"},"scriptInput":{"type":"string"}}},"Security_Endpoint_Management_API_RunScriptRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"description":"One of the following set of parameters must be provided\n","oneOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters"},{"$ref":"#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters"}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_Scan":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"}}}}},"type":"object"},"parameters":{"type":"object","properties":{"path":{"type":"string"}}}}}]},"Security_Endpoint_Management_API_ScanRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"path":{"description":"The folder or file’s full path (including the file name).","example":"/usr/my-file.txt","type":"string"}},"required":["path"]}},"required":["parameters"]}],"example":{"comment":"Scan the file for malware","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"path":"/usr/my-file.txt"}}},"Security_Endpoint_Management_API_ScanRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"scan","createdBy":"myuser","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"}},"id":"27ba1b42-7cc6-4e53-86ce-675c876092b2","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"path":"/usr/my-file.txt"},"startedAt":"2023-07-28T19:00:03.911Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{}},"Security_Endpoint_Management_API_SentinelOneRunScriptParameters":{"description":"Parameters for Run Script response action against SentinelOne agent type.","example":{"agent_type":"sentinel_one","endpoint_ids":["endpoint-id-1"],"parameters":{"inputParams":"--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt","script":"1111-2222-3333-4444-5555-6666-7777-8888"}},"properties":{"inputParams":{"description":"The input parameter arguments for the script that was selected.","minLength":1,"type":"string"},"script":{"description":"The script ID from SentinelOne scripts library that will be executed.","minLength":1,"type":"string"}},"required":["script"],"title":"SentinelOne Run Script Parameters","type":"object"},"Security_Endpoint_Management_API_SortDirection":{"description":"Determines the sort order.","enum":["asc","desc"],"example":"desc","type":"string"},"Security_Endpoint_Management_API_SortField":{"description":"Determines which field is used to sort the results.","enum":["enrolled_at","metadata.host.hostname","host_status","metadata.Endpoint.policy.applied.name","metadata.Endpoint.policy.applied.status","metadata.host.os.name","metadata.host.ip","metadata.agent.version","last_checkin"],"example":"enrolled_at","type":"string"},"Security_Endpoint_Management_API_StartDate":{"description":"A start date in ISO 8601 format or Date Math format.","example":"2023-10-31T00:00:00.000Z","type":"string"},"Security_Endpoint_Management_API_SuccessResponse":{"type":"object","properties":{}},"Security_Endpoint_Management_API_SuspendProcess":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"pid":{"type":"number"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"entity_id":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","minimum":1,"type":"number"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","minLength":1,"type":"string"}}}]}}}]},"Security_Endpoint_Management_API_SuspendProcessRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to suspend.","example":123,"minimum":1,"type":"integer"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to suspend.","example":"abc123","minLength":1,"type":"string"}}}]}},"required":["parameters"]}],"example":{"comment":"suspend the process","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123"}}},"Security_Endpoint_Management_API_SuspendProcessRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentType":"endpoint","command":"suspend-process","comment":"suspend the process","completedAt":"2022-07-29T19:09:44.961Z","createdBy":"myuser","errors":[],"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":true,"isExpired":false,"outputs":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"content":{"key":"value"},"type":"json"}},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","wasSuccessful":true}},"type":"object","properties":{}},"Security_Endpoint_Management_API_Timeout":{"description":"The maximum timeout value in milliseconds (optional)","minimum":1,"type":"integer"},"Security_Endpoint_Management_API_Type":{"description":"Type of response action","enum":["automated","manual"],"type":"string"},"Security_Endpoint_Management_API_Types":{"description":"List of types of response actions","example":["automated","manual"],"items":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Type"},"maxLength":2,"minLength":1,"type":"array"},"Security_Endpoint_Management_API_Unisolate":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},"Security_Endpoint_Management_API_UnisolateRouteResponse":{"example":{"action":"233db9ea-6733-4849-9226-5a7039c7161d","data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentType":"endpoint","command":"suspend-process","comment":"suspend the process","completedAt":"2022-07-29T19:09:44.961Z","createdBy":"myuser","errors":[],"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":true,"isExpired":false,"outputs":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"content":{"key":"value"},"type":"json"}},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","wasSuccessful":true}},"type":"object","properties":{}},"Security_Endpoint_Management_API_Upload":{"allOf":[{"$ref":"#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"},"disk_free_space":{"type":"number"},"path":{"type":"string"}}}}},"type":"object"},"parameters":{"description":"The parameters for upload returned on the details are derived via the API from the file that\nwas uploaded at the time that the response action was submitted\n","type":"object","properties":{"file_id":{"type":"string"},"file_name":{"type":"string"},"file_sha256":{"type":"string"},"file_size":{"type":"number"}}}}}]},"Security_Endpoint_Management_API_UploadRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"comment":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#/components/schemas/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"file":{"description":"The binary content of the file.","example":"RWxhc3RpYw==","format":"binary","type":"string"},"parameters":{"type":"object","properties":{"overwrite":{"default":false,"description":"Overwrite the file on the host if it already exists.","example":false,"type":"boolean"}}}},"required":["parameters","file"]}],"example":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"file":"RWxhc3RpYw==","parameters":{}}},"Security_Endpoint_Management_API_UploadRouteResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"upload","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"Host-5i6cuc8kdv"}},"id":"9ff6aebc-2cb6-481e-8869-9b30036c9731","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"file_id":"10e4ce3d-4abb-4f93-a0cd-eaf63a489280","file_name":"fix-malware.sh","file_sha256":"a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a","file_size":69},"startedAt":"2023-07-03T15:07:22.837Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{}},"Security_Endpoint_Management_API_UserIds":{"description":"A list of user IDs.","example":["user-id-1","user-id-2"],"oneOf":[{"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Endpoint_Management_API_WithOutputs":{"description":"A list of action IDs that should include the complete output of the action.","example":["action-id-1","action-id-2"],"oneOf":[{"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Entity_Analytics_API_Asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem":{"type":"object","properties":{"index":{"type":"integer"},"message":{"type":"string"}},"required":["message","index"]},"Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats":{"type":"object","properties":{"failed":{"type":"integer"},"successful":{"type":"integer"},"total":{"type":"integer"}},"required":["successful","failed","total"]},"Security_Entity_Analytics_API_AssetCriticalityLevel":{"description":"The criticality level of the asset.","enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},"Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload":{"description":"The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload.","enum":["low_impact","medium_impact","high_impact","extreme_impact","unassigned"],"type":"string"},"Security_Entity_Analytics_API_AssetCriticalityRecord":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord"},{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts"},{"type":"object","properties":{"@timestamp":{"description":"The time the record was created or updated.","example":"2017-07-21T17:32:28Z","format":"date-time","type":"string"}},"required":["@timestamp"]}],"example":{"@timestamp":"2024-08-02T11:15:34.290Z","asset":{"criticality":"high_impact"},"criticality_level":"high_impact","host":{"asset":{"criticality":"high_impact"},"name":"my_host"},"id_field":"host.name","id_value":"my_host"}},"Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["asset"]},"entity":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"id":{"type":"string"}},"required":["id"]},"host":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]},"service":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]},"user":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]}},"required":["asset"]},"Security_Entity_Analytics_API_AssetCriticalityRecordIdParts":{"type":"object","properties":{"id_field":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IdField","description":"The field representing the ID.","example":"host.name"},"id_value":{"description":"The ID value of the asset.","type":"string"}},"required":["id_value","id_field"]},"Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse":{"type":"object","properties":{"cleanup_successful":{"example":false,"type":"boolean"},"errors":{"items":{"type":"object","properties":{"error":{"type":"string"},"seq":{"type":"integer"}},"required":["seq","error"]},"type":"array"}},"required":["cleanup_successful","errors"]},"Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse":{"type":"object","properties":{"errors":{"items":{"type":"object","properties":{"error":{"type":"string"},"seq":{"type":"integer"}},"required":["seq","error"]},"type":"array"},"risk_engine_saved_object_configured":{"example":false,"type":"boolean"}},"required":["risk_engine_saved_object_configured","errors"]},"Security_Entity_Analytics_API_CreateAssetCriticalityRecord":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts"},{"type":"object","properties":{"criticality_level":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality_level"]}]},"Security_Entity_Analytics_API_EngineComponentResource":{"enum":["entity_engine","entity_definition","index","data_stream","component_template","index_template","ingest_pipeline","enrich_policy","task","transform","ilm_policy"],"type":"string"},"Security_Entity_Analytics_API_EngineComponentStatus":{"type":"object","properties":{"errors":{"items":{"type":"object","properties":{"message":{"type":"string"},"title":{"type":"string"}}},"type":"array"},"health":{"enum":["green","yellow","red","unavailable","unknown"],"type":"string"},"id":{"type":"string"},"installed":{"type":"boolean"},"metadata":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata"},"resource":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource"}},"required":["id","installed","resource"]},"Security_Entity_Analytics_API_EngineDataviewUpdateResult":{"type":"object","properties":{"changes":{"type":"object","properties":{"indexPatterns":{"items":{"type":"string"},"type":"array"}}},"type":{"type":"string"}},"required":["type"]},"Security_Entity_Analytics_API_EngineDescriptor":{"type":"object","properties":{"delay":{"default":"1m","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"type":"integer"},"error":{"type":"object","properties":{"action":{"enum":["init"],"type":"string"},"message":{"type":"string"}},"required":["message","action"]},"fieldHistoryLength":{"type":"integer"},"filter":{"type":"string"},"frequency":{"default":"1m","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"24h","pattern":"[smdh]$","type":"string"},"status":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineStatus"},"timeout":{"default":"180s","pattern":"[smdh]$","type":"string"},"timestampField":{"type":"string"},"type":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}},"required":["type","indexPattern","status","fieldHistoryLength"]},"Security_Entity_Analytics_API_EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}},"required":["Type"]},"Security_Entity_Analytics_API_EngineStatus":{"enum":["installing","started","stopped","updating","error"],"type":"string"},"Security_Entity_Analytics_API_EntitiesContainer":{"type":"object","properties":{"entities":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityContainer"},"type":"array"}},"required":["entities"]},"Security_Entity_Analytics_API_Entity":{"oneOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_UserEntity"},{"$ref":"#/components/schemas/Security_Entity_Analytics_API_HostEntity"},{"$ref":"#/components/schemas/Security_Entity_Analytics_API_ServiceEntity"},{"$ref":"#/components/schemas/Security_Entity_Analytics_API_GenericEntity"}]},"Security_Entity_Analytics_API_EntityAnalyticsPrivileges":{"type":"object","properties":{"has_all_required":{"type":"boolean"},"has_read_permissions":{"type":"boolean"},"has_write_permissions":{"type":"boolean"},"privileges":{"type":"object","properties":{"elasticsearch":{"type":"object","properties":{"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"}}},"kibana":{"additionalProperties":{"type":"boolean"},"type":"object"}},"required":["elasticsearch"]}},"required":["has_all_required","privileges"]},"Security_Entity_Analytics_API_EntityContainer":{"type":"object","properties":{"record":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Entity"},"type":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityType"}},"required":["type","record"]},"Security_Entity_Analytics_API_EntityField":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"privileged":{"type":"boolean"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"brute_force_victim":{"type":"boolean"},"new_country_login":{"type":"boolean"},"used_usb_device":{"type":"boolean"}}},"EngineMetadata":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EngineMetadata"},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","type":"string"},"last_activity":{"format":"date-time","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accessed_frequently_by":{"items":{"type":"string"},"type":"array"},"accesses_frequently":{"items":{"type":"string"},"type":"array"},"communicates_with":{"items":{"type":"string"},"type":"array"},"dependent_of":{"items":{"type":"string"},"type":"array"},"depends_on":{"items":{"type":"string"},"type":"array"},"owned_by":{"items":{"type":"string"},"type":"array"},"owns":{"items":{"type":"string"},"type":"array"},"supervised_by":{"items":{"type":"string"},"type":"array"},"supervises":{"items":{"type":"string"},"type":"array"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels","description":"Lexical description of the entity's risk.","example":"Critical"},"calculated_score":{"description":"The raw numeric value of the given entity's risk score.","format":"double","type":"number"},"calculated_score_norm":{"description":"The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.","format":"double","maximum":100,"minimum":0,"type":"number"}}},"source":{"type":"string"},"sub_type":{"type":"string"},"type":{"type":"string"}},"required":["id"]},"Security_Entity_Analytics_API_EntityRiskLevels":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"Security_Entity_Analytics_API_EntityRiskScoreRecord":{"type":"object","properties":{"@timestamp":{"description":"The time at which the risk score was calculated.","example":"2017-07-21T17:32:28Z","format":"date-time","type":"string"},"calculated_level":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels","description":"Lexical description of the entity's risk.","example":"Critical"},"calculated_score":{"description":"The raw numeric value of the given entity's risk score.","format":"double","type":"number"},"calculated_score_norm":{"description":"The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.","format":"double","maximum":100,"minimum":0,"type":"number"},"category_1_count":{"description":"The number of risk input documents that contributed to the Category 1 score (`category_1_score`).","type":"integer"},"category_1_score":{"description":"The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts.","format":"double","type":"number"},"category_2_count":{"type":"integer"},"category_2_score":{"format":"double","type":"number"},"criticality_level":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel"},"criticality_modifier":{"format":"double","type":"number"},"id_field":{"description":"The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored.","example":"host.name","type":"string"},"id_value":{"description":"The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored.","example":"example.host","type":"string"},"inputs":{"description":"A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.","items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput"},"type":"array"},"modifiers":{"description":"A list of modifiers that were applied to the risk score calculation.","items":{"type":"object","properties":{"contribution":{"format":"double","type":"number"},"metadata":{"additionalProperties":true,"type":"object"},"modifier_value":{"format":"double","type":"number"},"subtype":{"type":"string"},"type":{"type":"string"}},"required":["type","contribution"]},"type":"array"},"notes":{"items":{"type":"string"},"type":"array"}},"required":["@timestamp","id_field","id_value","calculated_level","calculated_score","calculated_score_norm","category_1_score","category_1_count","inputs","notes"]},"Security_Entity_Analytics_API_EntityType":{"enum":["user","host","service","generic"],"type":"string"},"Security_Entity_Analytics_API_GenericEntity":{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"asset":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"}},"required":["entity"]},"Security_Entity_Analytics_API_HostEntity":{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"asset":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","type":"string"}}},"host":{"additionalProperties":false,"type":"object","properties":{"architecture":{"items":{"type":"string"},"type":"array"},"domain":{"items":{"type":"string"},"type":"array"},"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"},"hostname":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"ip":{"items":{"type":"string"},"type":"array"},"mac":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"risk":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord"},"type":{"items":{"type":"string"},"type":"array"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_IdField":{"enum":["host.name","user.name","service.name","entity.id"],"type":"string"},"Security_Entity_Analytics_API_IndexPattern":{"type":"string"},"Security_Entity_Analytics_API_InspectQuery":{"type":"object","properties":{"dsl":{"items":{"type":"string"},"type":"array"},"response":{"items":{"type":"string"},"type":"array"}},"required":["dsl","response"]},"Security_Entity_Analytics_API_Interval":{"description":"Interval in which enrich policy runs. For example, `\"1h\"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"},"Security_Entity_Analytics_API_Metadata":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata"},"Security_Entity_Analytics_API_MonitoredUserDoc":{"allOf":[{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc"},{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"event":{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"ingested":{"format":"date-time","type":"string"}}},"user":{"type":"object","properties":{"entity":{"type":"object","properties":{"attributes":{"type":"object","properties":{"Privileged":{"description":"Indicates if the user is privileged.","type":"boolean"}}}}},"is_privileged":{"description":"Indicates if the user is privileged.","type":"boolean"},"name":{"type":"string"}}}}}]},"Security_Entity_Analytics_API_MonitoredUserUpdateDoc":{"type":"object","properties":{"entity_analytics_monitoring":{"type":"object","properties":{"labels":{"items":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel"},"type":"array"}}},"id":{"type":"string"},"labels":{"type":"object","properties":{"source_ids":{"items":{"type":"string"},"type":"array"},"source_integrations":{"items":{"type":"string"},"type":"array"},"sources":{"items":{"enum":["csv","index_sync","api"]},"type":"array"}}},"user":{"type":"object","properties":{"is_privileged":{"description":"Indicates if the user is privileged.","type":"boolean"},"name":{"type":"string"}}}}},"Security_Entity_Analytics_API_MonitoringEngineDescriptor":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"description":"Error message typically only present if the engine is in error state","type":"string"}}},"status":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus"}},"required":["status"]},"Security_Entity_Analytics_API_MonitoringLabel":{"type":"object","properties":{"field":{"type":"string"},"source":{"type":"string"},"value":{"type":"string"}},"required":["field","value","source"]},"Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus":{"description":"The status of the Privilege Monitoring Engine","enum":["started","error","disabled","not_installed"],"type":"string"},"Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem":{"type":"object","properties":{"index":{"nullable":true,"type":"integer"},"message":{"type":"string"},"username":{"nullable":true,"type":"string"}},"required":["message","index","username"]},"Security_Entity_Analytics_API_PrivmonUserCsvUploadStats":{"type":"object","properties":{"failedOperations":{"type":"integer"},"successfulOperations":{"type":"integer"},"totalOperations":{"type":"integer"},"uploaded":{"type":"integer"}},"required":["successfulOperations","uploaded","failedOperations","totalOperations"]},"Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse":{"type":"object","properties":{"full_error":{"type":"string"},"message":{"type":"string"}},"required":["message","full_error"]},"Security_Entity_Analytics_API_RiskEngineScheduleNowResponse":{"type":"object","properties":{"success":{"type":"boolean"}}},"Security_Entity_Analytics_API_RiskScoreInput":{"description":"A generic representation of a document contributing to a Risk Score.","type":"object","properties":{"category":{"description":"The risk category of the risk input document.","example":"category_1","type":"string"},"contribution_score":{"format":"double","type":"number"},"description":{"description":"A human-readable description of the risk input document.","example":"Generated from Detection Engine Rule: Malware Prevention Alert","type":"string"},"id":{"description":"The unique identifier (`_id`) of the original source document","example":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","type":"string"},"index":{"description":"The unique index (`_index`) of the original source document","example":".internal.alerts-security.alerts-default-000001","type":"string"},"risk_score":{"description":"The weighted risk score of the risk input document.","format":"double","maximum":100,"minimum":0,"type":"number"},"timestamp":{"description":"The @timestamp of the risk input document.","example":"2017-07-21T17:32:28Z","type":"string"}},"required":["id","index","description","category"]},"Security_Entity_Analytics_API_ServiceEntity":{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"asset":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","type":"string"}}},"service":{"additionalProperties":false,"type":"object","properties":{"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"},"name":{"type":"string"},"risk":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_StoreStatus":{"enum":["not_installed","installing","running","stopped","error"],"type":"string"},"Security_Entity_Analytics_API_TaskManagerUnavailableResponse":{"description":"Task manager is unavailable","type":"object","properties":{"message":{"type":"string"},"status_code":{"minimum":400,"type":"integer"}},"required":["status_code","message"]},"Security_Entity_Analytics_API_TransformStatsMetadata":{"type":"object","properties":{"delete_time_in_ms":{"type":"integer"},"documents_deleted":{"type":"integer"},"documents_indexed":{"type":"integer"},"documents_processed":{"type":"integer"},"exponential_avg_checkpoint_duration_ms":{"type":"integer"},"exponential_avg_documents_indexed":{"type":"integer"},"exponential_avg_documents_processed":{"type":"integer"},"index_failures":{"type":"integer"},"index_time_in_ms":{"type":"integer"},"index_total":{"type":"integer"},"pages_processed":{"type":"integer"},"processing_time_in_ms":{"type":"integer"},"processing_total":{"type":"integer"},"search_failures":{"type":"integer"},"search_time_in_ms":{"type":"integer"},"search_total":{"type":"integer"},"trigger_count":{"type":"integer"}},"required":["pages_processed","documents_processed","documents_indexed","trigger_count","index_time_in_ms","index_total","index_failures","search_time_in_ms","search_total","search_failures","processing_time_in_ms","processing_total","exponential_avg_checkpoint_duration_ms","exponential_avg_documents_indexed","exponential_avg_documents_processed"]},"Security_Entity_Analytics_API_UserEntity":{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"asset":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","type":"string"}}},"user":{"additionalProperties":false,"type":"object","properties":{"domain":{"items":{"type":"string"},"type":"array"},"email":{"items":{"type":"string"},"type":"array"},"full_name":{"items":{"type":"string"},"type":"array"},"hash":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"risk":{"$ref":"#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord","additionalProperties":false},"roles":{"items":{"type":"string"},"type":"array"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_UserName":{"type":"object","properties":{"entity_analytics_monitoring":{"description":"Entity analytics monitoring configuration for the user","type":"object","properties":{"labels":{"description":"Array of labels associated with the user","items":{"type":"object","properties":{"field":{"description":"The field name for the label","type":"string"},"source":{"description":"The source where this label was created (api, csv, or index_sync)","enum":["api","csv","index_sync"],"type":"string"},"value":{"description":"The value of the label","type":"string"}}},"type":"array"}}},"user":{"type":"object","properties":{"name":{"description":"The name of the user.","type":"string"}}}}},"Security_Exceptions_API_CreateExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_CreateExceptionListItemCommentArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_CreateRuleExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_CreateRuleExceptionListItemCommentArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_CreateRuleExceptionListItemProps":{"type":"object","properties":{"comments":{"$ref":"#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray","default":[]},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"format":"date-time","type":"string"},"item_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemTags","default":[]},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]},"Security_Exceptions_API_ExceptionList":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"},"immutable":{"type":"boolean"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"},"version":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListVersion"}},"required":["id","list_id","type","name","description","immutable","namespace_type","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Exceptions_API_ExceptionListDescription":{"description":"Describes the exception list.","example":"This list tracks allowlisted values.","type":"string"},"Security_Exceptions_API_ExceptionListHumanId":{"description":"The exception list's human readable string identifier, `endpoint_list`.","example":"simple_list","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListId":{"description":"Exception list's identifier.","example":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItem":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"comments":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemId"},"item_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray"},"tags":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"}},"required":["id","item_id","list_id","type","name","description","entries","namespace_type","comments","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Exceptions_API_ExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["id","comment","created_at","created_by"]},"Security_Exceptions_API_ExceptionListItemCommentArray":{"description":"Array of comment fields:\n\n- comment (string): Comments about the exception item.\n","items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_ExceptionListItemDescription":{"description":"Describes the exception list.","type":"string"},"Security_Exceptions_API_ExceptionListItemEntry":{"anyOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard"}],"discriminator":{"propertyName":"type"}},"Security_Exceptions_API_ExceptionListItemEntryArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry"},"type":"array"},"Security_Exceptions_API_ExceptionListItemEntryExists":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["exists"],"type":"string"}},"required":["type","field","operator"]},"Security_Exceptions_API_ExceptionListItemEntryList":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"list":{"type":"object","properties":{"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ListId"},"type":{"$ref":"#/components/schemas/Security_Exceptions_API_ListType"}},"required":["id","type"]},"operator":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["list"],"type":"string"}},"required":["type","field","list","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatch":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatchAny":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match_any"],"type":"string"},"value":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatchWildcard":{"type":"object","properties":{"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["wildcard"],"type":"string"},"value":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryNested":{"type":"object","properties":{"entries":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem"},"minItems":1,"type":"array"},"field":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"type":{"enum":["nested"],"type":"string"}},"required":["type","field","entries"]},"Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem":{"oneOf":[{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists"}]},"Security_Exceptions_API_ExceptionListItemEntryOperator":{"enum":["excluded","included"],"type":"string"},"Security_Exceptions_API_ExceptionListItemExpireTime":{"description":"The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.","format":"date-time","type":"string"},"Security_Exceptions_API_ExceptionListItemHumanId":{"description":"Human readable string identifier, e.g. `trusted-linux-processes`","example":"simple_list_item","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemId":{"description":"Exception's identifier.","example":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemMeta":{"additionalProperties":true,"type":"object"},"Security_Exceptions_API_ExceptionListItemName":{"description":"Exception list name.","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemOsTypeArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Exceptions_API_ExceptionListItemTags":{"items":{"description":"String array containing words and phrases to help categorize exception items.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"Security_Exceptions_API_ExceptionListItemType":{"enum":["simple"],"type":"string"},"Security_Exceptions_API_ExceptionListMeta":{"additionalProperties":true,"description":"Placeholder for metadata about the list container.","type":"object"},"Security_Exceptions_API_ExceptionListName":{"description":"The name of the exception list.","example":"My exception list","type":"string"},"Security_Exceptions_API_ExceptionListOsType":{"description":"Use this field to specify the operating system.","enum":["linux","macos","windows"],"type":"string"},"Security_Exceptions_API_ExceptionListOsTypeArray":{"description":"Use this field to specify the operating system. Only enter one value.","items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Exceptions_API_ExceptionListsImportBulkError":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListId"},"item_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListHumanId"}},"required":["error"]},"Security_Exceptions_API_ExceptionListsImportBulkErrorArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError"},"type":"array"},"Security_Exceptions_API_ExceptionListTags":{"description":"String array containing words and phrases to help categorize exception containers.","items":{"type":"string"},"type":"array"},"Security_Exceptions_API_ExceptionListType":{"description":"The type of exception list to be created. Different list types may denote where they can be utilized.","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Exceptions_API_ExceptionListVersion":{"description":"The document version, automatically increasd on updates.","minimum":1,"type":"integer"},"Security_Exceptions_API_ExceptionNamespaceType":{"description":"Determines whether the exception container is available in all Kibana spaces or just the space\nin which it is created, where:\n\n- `single`: Only available in the Kibana space in which it is created.\n- `agnostic`: Available in all Kibana spaces.\n","enum":["agnostic","single"],"type":"string"},"Security_Exceptions_API_FindExceptionListItemsFilter":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"Security_Exceptions_API_FindExceptionListsFilter":{"example":"exception-list.attributes.name:%Detection%20List","type":"string"},"Security_Exceptions_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Exceptions_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Exceptions_API_RuleId":{"$ref":"#/components/schemas/Security_Exceptions_API_UUID"},"Security_Exceptions_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Exceptions_API_UpdateExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"},"id":{"$ref":"#/components/schemas/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_UpdateExceptionListItemCommentArray":{"items":{"$ref":"#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_UUID":{"description":"A universally unique identifier","format":"uuid","type":"string"},"Security_Lists_API_FindListItemsCursor":{"description":"Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly.","example":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_FindListItemsFilter":{"example":"value:127.0.0.1","type":"string"},"Security_Lists_API_FindListsCursor":{"example":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_FindListsFilter":{"example":"value:127.0.0.1","type":"string"},"Security_Lists_API_List":{"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"@timestamp":{"example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","example":"elastic","type":"string"},"description":{"$ref":"#/components/schemas/Security_Lists_API_ListDescription"},"deserializer":{"$ref":"#/components/schemas/Security_Lists_API_ListDeserializer"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"immutable":{"type":"boolean"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListMetadata"},"name":{"$ref":"#/components/schemas/Security_Lists_API_ListName"},"serializer":{"$ref":"#/components/schemas/Security_Lists_API_ListSerializer"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","example":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"string"},"type":{"$ref":"#/components/schemas/Security_Lists_API_ListType"},"updated_at":{"description":"Autogenerated date of last object update.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","example":"elastic","type":"string"},"version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersion"}},"required":["id","type","name","description","immutable","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Lists_API_ListDescription":{"description":"Describes the value list.","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListDeserializer":{"description":"Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:\n\n- `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`.\n- `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`.\n- `{{{gte}}},{{{lte}}}` - Date range values.\n","example":"{{value}}","type":"string"},"Security_Lists_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListItem":{"type":"object","properties":{"_version":{"$ref":"#/components/schemas/Security_Lists_API_ListVersionId"},"@timestamp":{"example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","example":"elastic","type":"string"},"deserializer":{"$ref":"#/components/schemas/Security_Lists_API_ListDeserializer"},"id":{"$ref":"#/components/schemas/Security_Lists_API_ListItemId"},"list_id":{"$ref":"#/components/schemas/Security_Lists_API_ListId"},"meta":{"$ref":"#/components/schemas/Security_Lists_API_ListItemMetadata"},"serializer":{"$ref":"#/components/schemas/Security_Lists_API_ListSerializer"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","example":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"string"},"type":{"$ref":"#/components/schemas/Security_Lists_API_ListType"},"updated_at":{"description":"Autogenerated date of last object update.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","example":"elastic","type":"string"},"value":{"$ref":"#/components/schemas/Security_Lists_API_ListItemValue"}},"required":["id","type","list_id","value","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Lists_API_ListItemId":{"description":"Value list item's identifier.","example":"54b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListItemMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the value list item.","type":"object"},"Security_Lists_API_ListItemPrivileges":{"type":"object","properties":{"application":{"additionalProperties":{"type":"boolean"},"type":"object"},"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"has_all_requested":{"type":"boolean"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"},"username":{"type":"string"}},"required":["username","has_all_requested","cluster","index","application"]},"Security_Lists_API_ListItemValue":{"description":"The value used to evaluate exceptions.","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the value list.","type":"object"},"Security_Lists_API_ListName":{"description":"Value list's name.","example":"List of bad IPs","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListPrivileges":{"type":"object","properties":{"application":{"additionalProperties":{"type":"boolean"},"type":"object"},"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"has_all_requested":{"type":"boolean"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"},"username":{"type":"string"}},"required":["username","has_all_requested","cluster","index","application"]},"Security_Lists_API_ListSerializer":{"description":"Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:\n\n- `(?\u003cvalue\u003e.+)` - Single value item types, such as ip, long, date, keyword, and text.\n- `(?\u003cgte\u003e.+)-(?\u003clte\u003e.+)|(?\u003cvalue\u003e.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`.\n","example":"(?\u003cvalue\u003e((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))","type":"string"},"Security_Lists_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Lists_API_ListVersion":{"description":"The document version number.","example":1,"minimum":1,"type":"integer"},"Security_Lists_API_ListVersionId":{"description":"The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.\n","example":"WzIsMV0=","type":"string"},"Security_Lists_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Lists_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Osquery_API_ArrayQueries":{"description":"An array of queries to run.","items":{"$ref":"#/components/schemas/Security_Osquery_API_ArrayQueriesItem"},"type":"array"},"Security_Osquery_API_ArrayQueriesItem":{"type":"object","properties":{"ecs_mapping":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#/components/schemas/Security_Osquery_API_QueryId"},"platform":{"$ref":"#/components/schemas/Security_Osquery_API_Platform"},"query":{"$ref":"#/components/schemas/Security_Osquery_API_Query"},"removed":{"$ref":"#/components/schemas/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#/components/schemas/Security_Osquery_API_Snapshot"},"version":{"$ref":"#/components/schemas/Security_Osquery_API_Version"}}},"Security_Osquery_API_CreateLiveQueryRequestBody":{"example":{"agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"query":"select * from uptime;"},"type":"object","properties":{"agent_all":{"description":"When `true`, the query runs on all agents.","type":"boolean"},"agent_ids":{"description":"A list of agent IDs to run the query on.","items":{"type":"string"},"type":"array"},"agent_platforms":{"description":"A list of agent platforms to run the query on.","items":{"type":"string"},"type":"array"},"agent_policy_ids":{"description":"A list of agent policy IDs to run the query on.","items":{"type":"string"},"type":"array"},"alert_ids":{"description":"A list of alert IDs associated with the live query.","items":{"type":"string"},"type":"array"},"case_ids":{"description":"A list of case IDs associated with the live query.","items":{"type":"string"},"type":"array"},"ecs_mapping":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping"},"event_ids":{"description":"A list of event IDs associated with the live query.","items":{"type":"string"},"type":"array"},"metadata":{"description":"Custom metadata object associated with the live query.","nullable":true,"type":"object"},"pack_id":{"$ref":"#/components/schemas/Security_Osquery_API_PackId"},"queries":{"$ref":"#/components/schemas/Security_Osquery_API_ArrayQueries"},"query":{"$ref":"#/components/schemas/Security_Osquery_API_Query"},"saved_query_id":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"}}},"Security_Osquery_API_CreateLiveQueryResponse":{"example":{"data":{"@timestamp":"2022-07-26T09:59:32.220Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agent_all":true,"agent_ids":[],"agent_platforms":[],"agent_policy_ids":[],"agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2022-07-26T10:04:32.220Z","input_type":"osquery","metadata":{"execution_context":{"name":"osquery","url":"/app/osquery/live_queries/new"}},"queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","query":"select * from uptime;","timeout":120}],"type":"INPUT_ACTION","user_id":"elastic"}},"type":"object","properties":{}},"Security_Osquery_API_CreatePacksRequestBody":{"example":{"description":"My pack","enabled":true,"name":"my_pack","policy_ids":["my_policy_id","fleet-server-policy"],"queries":{"my_query":{"ecs_mapping":{"client.port":{"field":"port"},"tags":{"value":["tag1","tag2"]}},"interval":60,"query":"SELECT * FROM listening_ports;","timeout":120}},"shards":{"fleet-server-policy":58,"my_policy_id":35}},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#/components/schemas/Security_Osquery_API_Enabled"},"name":{"$ref":"#/components/schemas/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#/components/schemas/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#/components/schemas/Security_Osquery_API_ObjectQueries"},"shards":{"$ref":"#/components/schemas/Security_Osquery_API_Shards"}}},"Security_Osquery_API_CreatePacksResponse":{"example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":true,"name":"my_pack","queries":{"ports":{"ecs_mapping":{"client.port":{"field":"port"}},"interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}},"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":[{"key":"47638692-7c4c-4053-aa3e-7186f28df349","value":35},{"key":"5e267651-fe50-443e-8d3f-3bbc9171b618","value":58}],"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic"}},"type":"object","properties":{}},"Security_Osquery_API_CreateSavedQueryRequestBody":{"example":{"description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","query":"select * from uptime;","timeout":120,"version":"2.8.0"},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"},"interval":{"$ref":"#/components/schemas/Security_Osquery_API_Interval"},"platform":{"$ref":"#/components/schemas/Security_Osquery_API_Platform"},"query":{"$ref":"#/components/schemas/Security_Osquery_API_Query"},"removed":{"$ref":"#/components/schemas/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#/components/schemas/Security_Osquery_API_Snapshot"},"version":{"$ref":"#/components/schemas/Security_Osquery_API_Version"}}},"Security_Osquery_API_CreateSavedQueryResponse":{"example":{"data":{}},"type":"object","properties":{}},"Security_Osquery_API_DefaultSuccessResponse":{"type":"object","properties":{}},"Security_Osquery_API_ECSMapping":{"additionalProperties":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMappingItem"},"description":"Map osquery results columns or static values to Elastic Common Schema (ECS) fields","example":{"host.uptime":{"field":"total_seconds"}},"type":"object"},"Security_Osquery_API_ECSMappingItem":{"type":"object","properties":{"field":{"description":"The ECS field to map to.","example":"host.uptime","type":"string"},"value":{"description":"The value to map to the ECS field.","example":"total_seconds","oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]}}},"Security_Osquery_API_ECSMappingOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping","nullable":true},"Security_Osquery_API_Enabled":{"description":"Enables the pack.","example":true,"type":"boolean"},"Security_Osquery_API_EnabledOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Enabled","nullable":true},"Security_Osquery_API_FindLiveQueryDetailsResponse":{"example":{"data":{"@timestamp":"2022-07-26T09:59:32.220Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2022-07-26T10:04:32.220Z","queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"docs":0,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"failed":1,"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","pending":0,"query":"select * from uptime;","responded":1,"saved_query_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","status":"completed","successful":0}],"status":"completed","user_id":"elastic"}},"type":"object","properties":{}},"Security_Osquery_API_FindLiveQueryResponse":{"example":{"data":{"items":[{"fields":{"@timestamp":"2023-10-31T00:00:00Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2023-10-31T00:00:00Z","queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","query":"select * from uptime;","saved_query_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"}],"user_id":"elastic"}}]}},"type":"object","properties":{}},"Security_Osquery_API_FindPackResponse":{"example":{"data":{"created_at":"2022-07-25T19:41:10.263Z","created_by":"elastic","description":"","enabled":true,"id":"3c42c847-eb30-4452-80e0-728584042334","name":"test_pack","namespaces":["default"],"policy_ids":[],"queries":{"uptime":{"ecs_mapping":{"message":{"field":"days"}},"interval":3600,"query":"select * from uptime"}},"read_only":false,"type":"osquery-pack","updated_at":"2022-07-25T20:12:01.455Z","updated_by":"elastic"}},"type":"object","properties":{}},"Security_Osquery_API_FindPacksResponse":{"example":{"data":[{"attributes":{"created_at":"2023-10-31T00:00:00Z","created_by":"elastic","description":"My pack description","enabled":true,"name":"My Pack","queries":[{"ecs_mapping":[{"host.uptime":{"field":"total_seconds"}}],"id":"uptime","interval":"3600","query":"select * from uptime;"}],"updated_at":"2023-10-31T00:00:00Z","updated_by":"elastic"},"id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","namespaces":["default"],"type":"osquery-pack"}],"page":1,"pageSize":10,"policy_ids":[],"total":1},"type":"object","properties":{}},"Security_Osquery_API_FindSavedQueryDetailResponse":{"example":{"data":{"attributes":{"created_at":"2022-07-26T09:28:08.597Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","prebuilt":false,"query":"select * from uptime;","updated_at":"2022-07-26T09:28:08.597Z","updated_by":"elastic","version":"2.8.0"},"coreMigrationVersion":"8.4.0","id":"3c42c847-eb30-4452-80e0-728584042334","namespaces":["default"],"references":[],"type":"osquery-saved-query","updated_at":"2022-07-26T09:28:08.600Z","version":"WzQzMTcsMV0="}},"type":"object","properties":{}},"Security_Osquery_API_FindSavedQueryResponse":{"example":{"data":[{"attributes":{"created_at":"2022-07-26T09:28:08.597Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","prebuilt":false,"query":"select * from uptime;","updated_at":"2022-07-26T09:28:08.597Z","updated_by":"elastic","version":"2.8.0"},"id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","namespaces":["default"],"type":"osquery-saved-query"}],"page":1,"per_page":100,"total":11},"type":"object","properties":{}},"Security_Osquery_API_GetLiveQueryResultsResponse":{"description":"The response for getting live query results.","example":{"data":{"edges":[{},{}],"total":2}},"type":"object","properties":{}},"Security_Osquery_API_Interval":{"description":"An interval, in seconds, on which to run the query.","example":"60","type":"string"},"Security_Osquery_API_IntervalOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Interval","nullable":true},"Security_Osquery_API_KueryOrUndefined":{"description":"The kuery to filter the results by.","example":"agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13","nullable":true,"type":"string"},"Security_Osquery_API_ObjectQueries":{"additionalProperties":{"$ref":"#/components/schemas/Security_Osquery_API_ObjectQueriesItem"},"description":"An object of queries.","type":"object"},"Security_Osquery_API_ObjectQueriesItem":{"type":"object","properties":{"ecs_mapping":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#/components/schemas/Security_Osquery_API_QueryId"},"platform":{"$ref":"#/components/schemas/Security_Osquery_API_Platform"},"query":{"$ref":"#/components/schemas/Security_Osquery_API_Query"},"removed":{"$ref":"#/components/schemas/Security_Osquery_API_Removed"},"saved_query_id":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"},"snapshot":{"$ref":"#/components/schemas/Security_Osquery_API_Snapshot"},"version":{"$ref":"#/components/schemas/Security_Osquery_API_Version"}}},"Security_Osquery_API_PackDescription":{"description":"The pack description.","example":"Pack description","type":"string"},"Security_Osquery_API_PackDescriptionOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_PackDescription","nullable":true},"Security_Osquery_API_PackId":{"description":"The ID of the pack you want to run, retrieve, update, or delete.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_PackIdOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_PackId","nullable":true},"Security_Osquery_API_PackName":{"description":"The pack name.","type":"string"},"Security_Osquery_API_PageOrUndefined":{"description":"The page number to return. The default is 1.","example":1,"nullable":true,"type":"integer"},"Security_Osquery_API_PageSizeOrUndefined":{"description":"The number of results to return per page. The default is 20.","example":20,"nullable":true,"type":"integer"},"Security_Osquery_API_Platform":{"description":"Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.","example":"linux,darwin","type":"string"},"Security_Osquery_API_PlatformOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Platform","nullable":true},"Security_Osquery_API_PolicyIds":{"description":"A list of agents policy IDs.","example":["policyId1","policyId2"],"items":{"type":"string"},"type":"array"},"Security_Osquery_API_PolicyIdsOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_PolicyIds","nullable":true},"Security_Osquery_API_Query":{"description":"The SQL query you want to run.","example":"select * from uptime;","type":"string"},"Security_Osquery_API_QueryId":{"description":"The ID of the query.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_QueryOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Query","nullable":true},"Security_Osquery_API_Removed":{"description":"Indicates whether the query is removed.","example":false,"type":"boolean"},"Security_Osquery_API_RemovedOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Removed","nullable":true},"Security_Osquery_API_SavedQueryDescription":{"description":"The saved query description.","example":"Saved query description","type":"string"},"Security_Osquery_API_SavedQueryDescriptionOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryDescription","nullable":true},"Security_Osquery_API_SavedQueryId":{"description":"The ID of a saved query.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_SavedQueryIdOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId","nullable":true},"Security_Osquery_API_Shards":{"additionalProperties":{"type":"number"},"description":"An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.","example":{"policy_id":50},"type":"object"},"Security_Osquery_API_Snapshot":{"description":"Indicates whether the query is a snapshot.","example":true,"type":"boolean"},"Security_Osquery_API_SnapshotOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Snapshot","nullable":true},"Security_Osquery_API_SortOrderOrUndefined":{"description":"Specifies the sort order.","enum":["asc","desc"],"example":"desc","type":"string"},"Security_Osquery_API_SortOrUndefined":{"default":"createdAt","description":"The field that is used to sort the results.","example":"createdAt","nullable":true,"type":"string"},"Security_Osquery_API_UpdatePacksRequestBody":{"example":{"name":"updated_my_pack_name"},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#/components/schemas/Security_Osquery_API_Enabled"},"name":{"$ref":"#/components/schemas/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#/components/schemas/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#/components/schemas/Security_Osquery_API_ObjectQueries"},"shards":{"$ref":"#/components/schemas/Security_Osquery_API_Shards"}}},"Security_Osquery_API_UpdatePacksResponse":{"example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":true,"name":"updated_my_pack_name","queries":{"ports":{"ecs_mapping":{"client.port":{"field":"port"}},"interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}},"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":[{"key":"47638692-7c4c-4053-aa3e-7186f28df349","value":35},{"key":"5e267651-fe50-443e-8d3f-3bbc9171b618","value":58}],"updated_at":"2025-02-26T13:40:16.297Z","updated_by":"elastic"}},"type":"object","properties":{}},"Security_Osquery_API_UpdateSavedQueryRequestBody":{"example":{"id":"updated_my_saved_query_name"},"type":"object","properties":{"description":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#/components/schemas/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#/components/schemas/Security_Osquery_API_SavedQueryId"},"interval":{"$ref":"#/components/schemas/Security_Osquery_API_Interval"},"platform":{"$ref":"#/components/schemas/Security_Osquery_API_Platform"},"query":{"$ref":"#/components/schemas/Security_Osquery_API_Query"},"removed":{"$ref":"#/components/schemas/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#/components/schemas/Security_Osquery_API_Snapshot"},"version":{"$ref":"#/components/schemas/Security_Osquery_API_Version"}}},"Security_Osquery_API_UpdateSavedQueryResponse":{"example":{"data":{}},"type":"object","properties":{}},"Security_Osquery_API_Version":{"description":"Uses the Osquery versions greater than or equal to the specified version string.","example":"1.0.0","type":"string"},"Security_Osquery_API_VersionOrUndefined":{"$ref":"#/components/schemas/Security_Osquery_API_Version","nullable":true},"Security_Timeline_API_AssociatedFilterType":{"description":"Filter notes based on their association with a document or saved object.","enum":["all","document_only","saved_object_only","document_and_saved_object","orphan"],"type":"string"},"Security_Timeline_API_BareNote":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata"},{"type":"object","properties":{"eventId":{"description":"The `_id` of the associated event for this note.","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","nullable":true,"type":"string"},"note":{"description":"The text of the note","example":"This is an example text","nullable":true,"type":"string"},"timelineId":{"description":"The `savedObjectId` of the Timeline that this note is associated with","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["timelineId"]}]},"Security_Timeline_API_BarePinnedEvent":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata"},{"type":"object","properties":{"eventId":{"description":"The `_id` of the associated event for this pinned event.","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","type":"string"},"timelineId":{"description":"The `savedObjectId` of the timeline that this pinned event is associated with","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["eventId","timelineId"]}]},"Security_Timeline_API_ColumnHeaderResult":{"type":"object","properties":{"aggregatable":{"nullable":true,"type":"boolean"},"category":{"nullable":true,"type":"string"},"columnHeaderType":{"nullable":true,"type":"string"},"description":{"nullable":true,"type":"string"},"example":{"nullable":true,"type":"string"},"id":{"nullable":true,"type":"string"},"indexes":{"items":{"type":"string"},"nullable":true,"type":"array"},"name":{"nullable":true,"type":"string"},"placeholder":{"nullable":true,"type":"string"},"searchable":{"nullable":true,"type":"boolean"},"type":{"nullable":true,"type":"string"}}},"Security_Timeline_API_DataProviderQueryMatch":{"type":"object","properties":{"enabled":{"nullable":true,"type":"boolean"},"excluded":{"nullable":true,"type":"boolean"},"id":{"nullable":true,"type":"string"},"kqlQuery":{"nullable":true,"type":"string"},"name":{"nullable":true,"type":"string"},"queryMatch":{"$ref":"#/components/schemas/Security_Timeline_API_QueryMatchResult","nullable":true},"type":{"$ref":"#/components/schemas/Security_Timeline_API_DataProviderType","nullable":true}}},"Security_Timeline_API_DataProviderResult":{"type":"object","properties":{"and":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_DataProviderQueryMatch"},"nullable":true,"type":"array"},"enabled":{"nullable":true,"type":"boolean"},"excluded":{"nullable":true,"type":"boolean"},"id":{"nullable":true,"type":"string"},"kqlQuery":{"nullable":true,"type":"string"},"name":{"nullable":true,"type":"string"},"queryMatch":{"$ref":"#/components/schemas/Security_Timeline_API_QueryMatchResult","nullable":true},"type":{"$ref":"#/components/schemas/Security_Timeline_API_DataProviderType","nullable":true}}},"Security_Timeline_API_DataProviderType":{"description":"The type of data provider.","enum":["default","template"],"type":"string"},"Security_Timeline_API_DocumentIds":{"oneOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]},"Security_Timeline_API_FavoriteTimelineResponse":{"type":"object","properties":{"favorite":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_FavoriteTimelineResult"},"type":"array"},"savedObjectId":{"type":"string"},"templateTimelineId":{"nullable":true,"type":"string"},"templateTimelineVersion":{"nullable":true,"type":"number"},"timelineType":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType"},"version":{"type":"string"}},"required":["savedObjectId","version"]},"Security_Timeline_API_FavoriteTimelineResult":{"description":"Indicates when and who marked a Timeline as a favorite.","example":{"favoriteDate":1741337636741,"userName":"elastic"},"type":"object","properties":{"favoriteDate":{"nullable":true,"type":"number"},"fullName":{"nullable":true,"type":"string"},"userName":{"nullable":true,"type":"string"}}},"Security_Timeline_API_FilterTimelineResult":{"example":{"meta":{"alias":"Custom filter name","disabled":false,"index":".alerts-security.alerts-default,logs-*","key":"@timestamp","negate":"false,","type":"exists","value":"exists"},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"},"type":"object","properties":{"exists":{"nullable":true,"type":"string"},"match_all":{"nullable":true,"type":"string"},"meta":{"nullable":true,"type":"object","properties":{"alias":{"nullable":true,"type":"string"},"controlledBy":{"nullable":true,"type":"string"},"disabled":{"nullable":true,"type":"boolean"},"field":{"nullable":true,"type":"string"},"formattedValue":{"nullable":true,"type":"string"},"index":{"nullable":true,"type":"string"},"key":{"nullable":true,"type":"string"},"negate":{"nullable":true,"type":"boolean"},"params":{"nullable":true,"type":"string"},"type":{"nullable":true,"type":"string"},"value":{"nullable":true,"type":"string"}}},"missing":{"nullable":true,"type":"string"},"query":{"nullable":true,"type":"string"},"range":{"nullable":true,"type":"string"},"script":{"nullable":true,"type":"string"}}},"Security_Timeline_API_GetNotesResult":{"type":"object","properties":{"notes":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_Note"},"type":"array"},"totalCount":{"type":"number"}},"required":["totalCount","notes"]},"Security_Timeline_API_ImportTimelineResult":{"type":"object","properties":{"errors":{"description":"The list of failed Timeline imports","items":{"type":"object","properties":{"error":{"description":"The error containing the reason why the timeline could not be imported","type":"object","properties":{"message":{"description":"The reason why the timeline could not be imported","example":"Malformed JSON","type":"string"},"status_code":{"description":"The HTTP status code of the error","example":400,"type":"number"}}},"id":{"description":"The ID of the timeline that failed to import","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","type":"string"}}},"type":"array"},"success":{"description":"Indicates whether any of the Timelines were successfully imports","type":"boolean"},"success_count":{"description":"The amount of successfully imported/updated Timelines","example":99,"type":"number"},"timelines_installed":{"description":"The amount of successfully installed Timelines","example":80,"type":"number"},"timelines_updated":{"description":"The amount of successfully updated Timelines","example":19,"type":"number"}}},"Security_Timeline_API_ImportTimelines":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"eventNotes":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_BareNote"},"nullable":true,"type":"array"},"globalNotes":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_BareNote"},"nullable":true,"type":"array"},"pinnedEventIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"savedObjectId":{"nullable":true,"type":"string"},"version":{"nullable":true,"type":"string"}},"required":["savedObjectId","version","pinnedEventIds","eventNotes","globalNotes"]}]},"Security_Timeline_API_Note":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_BareNote"},{"type":"object","properties":{"noteId":{"description":"The `savedObjectId` of the note","example":"709f99c6-89b6-4953-9160-35945c8e174e","type":"string"},"version":{"description":"The version of the note","example":"WzQ2LDFd","type":"string"}},"required":["noteId","version"]}]},"Security_Timeline_API_NoteCreatedAndUpdatedMetadata":{"type":"object","properties":{"created":{"description":"The time the note was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the note.","example":"casetester","nullable":true,"type":"string"},"updated":{"description":"The last time the note was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the note","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_PersistPinnedEventResponse":{"oneOf":[{"$ref":"#/components/schemas/Security_Timeline_API_PinnedEvent"},{"type":"object","properties":{"unpinned":{"description":"Indicates whether the event was successfully unpinned","type":"boolean"}},"required":["unpinned"]}]},"Security_Timeline_API_PersistTimelineResponse":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineResponse"},"Security_Timeline_API_PinnedEvent":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_BarePinnedEvent"},{"type":"object","properties":{"pinnedEventId":{"description":"The `savedObjectId` of this pinned event","example":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","type":"string"},"version":{"description":"The version of this pinned event","example":"WzQ2LDFe","type":"string"}},"required":["pinnedEventId","version"]}]},"Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata":{"type":"object","properties":{"created":{"description":"The time the pinned event was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the pinned event.","example":"casetester","nullable":true,"type":"string"},"updated":{"description":"The last time the pinned event was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the pinned event","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_QueryMatchResult":{"type":"object","properties":{"displayField":{"nullable":true,"type":"string"},"displayValue":{"nullable":true,"type":"string"},"field":{"nullable":true,"type":"string"},"operator":{"nullable":true,"type":"string"},"value":{"oneOf":[{"nullable":true,"type":"string"},{"items":{"type":"string"},"nullable":true,"type":"array"}]}}},"Security_Timeline_API_ResolvedTimeline":{"type":"object","properties":{"alias_purpose":{"$ref":"#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"type":"string"},"outcome":{"$ref":"#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome"},"timeline":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject"}},"required":["timeline","outcome"]},"Security_Timeline_API_ResponseNote":{"type":"object","properties":{"note":{"$ref":"#/components/schemas/Security_Timeline_API_Note"}},"required":["note"]},"Security_Timeline_API_RowRendererId":{"description":"Identifies the available row renderers","enum":["alert","alerts","auditd","auditd_file","library","netflow","plain","registry","suricata","system","system_dns","system_endgame_process","system_file","system_fim","system_security_event","system_socket","threat_match","zeek"],"type":"string"},"Security_Timeline_API_SavedObjectIds":{"oneOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]},"Security_Timeline_API_SavedObjectResolveAliasPurpose":{"enum":["savedObjectConversion","savedObjectImport"],"type":"string"},"Security_Timeline_API_SavedObjectResolveOutcome":{"enum":["exactMatch","aliasMatch","conflict"],"type":"string"},"Security_Timeline_API_SavedTimeline":{"type":"object","properties":{"columns":{"description":"The Timeline's columns","example":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"event.category"}],"items":{"$ref":"#/components/schemas/Security_Timeline_API_ColumnHeaderResult"},"nullable":true,"type":"array"},"created":{"description":"The time the Timeline was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the Timeline.","example":"casetester","nullable":true,"type":"string"},"dataProviders":{"description":"Object containing query clauses","example":[{"enabled":true,"excluded":false,"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","queryMatch":{"field":"_id,","operator":":","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,"}}],"items":{"$ref":"#/components/schemas/Security_Timeline_API_DataProviderResult"},"nullable":true,"type":"array"},"dataViewId":{"description":"ID of the Timeline's Data View","example":"security-solution-default","nullable":true,"type":"string"},"dateRange":{"description":"The Timeline's search period.","example":{"end":1587456479201,"start":1587370079200},"nullable":true,"type":"object","properties":{"end":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]},"start":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]}}},"description":{"description":"The Timeline's description","example":"Investigating exposure of CVE XYZ","nullable":true,"type":"string"},"eqlOptions":{"description":"EQL query that is used in the correlation tab","example":{"eventCategoryField":"event.category","query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","size":100,"timestampField":"@timestamp"},"nullable":true,"type":"object","properties":{"eventCategoryField":{"nullable":true,"type":"string"},"query":{"nullable":true,"type":"string"},"size":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]},"tiebreakerField":{"nullable":true,"type":"string"},"timestampField":{"nullable":true,"type":"string"}}},"eventType":{"deprecated":true,"description":"Event types displayed in the Timeline","example":"all","nullable":true,"type":"string"},"excludedRowRendererIds":{"description":"A list of row renderers that should not be used when in `Event renderers` mode","items":{"$ref":"#/components/schemas/Security_Timeline_API_RowRendererId"},"nullable":true,"type":"array"},"favorite":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_FavoriteTimelineResult"},"nullable":true,"type":"array"},"filters":{"description":"A list of filters that should be applied to the query","items":{"$ref":"#/components/schemas/Security_Timeline_API_FilterTimelineResult"},"nullable":true,"type":"array"},"indexNames":{"description":"A list of index names to use in the query (e.g. when the default data view has been modified)","example":[".logs*"],"items":{"type":"string"},"nullable":true,"type":"array"},"kqlMode":{"description":"Indicates whether the KQL bar filters the query results or searches for additional results, where:\n  * `filter`: filters query results\n  * `search`: displays additional search results","example":"search","nullable":true,"type":"string"},"kqlQuery":{"$ref":"#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult","nullable":true},"savedQueryId":{"description":"The ID of the saved query that might be used in the Query tab","example":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","nullable":true,"type":"string"},"savedSearchId":{"description":"The ID of the saved search that is used in the ES|QL tab","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"sort":{"$ref":"#/components/schemas/Security_Timeline_API_Sort","nullable":true},"status":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineStatus","nullable":true},"templateTimelineId":{"description":"A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"templateTimelineVersion":{"description":"Timeline template version number. For Timelines, the value is `null`.","example":12,"nullable":true,"type":"number"},"timelineType":{"$ref":"#/components/schemas/Security_Timeline_API_TimelineType","nullable":true},"title":{"description":"The Timeline's title.","example":"CVE XYZ investigation","nullable":true,"type":"string"},"updated":{"description":"The last time the Timeline was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the Timeline","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_SavedTimelineWithSavedObjectId":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"savedObjectId":{"description":"The `savedObjectId` of the Timeline or Timeline template","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"},"version":{"description":"The version of the Timeline or Timeline template","example":"WzE0LDFd","type":"string"}},"required":["savedObjectId","version"]}]},"Security_Timeline_API_SerializedFilterQueryResult":{"description":"KQL bar query.","example":{"filterQuery":null,"kuery":{"expression":"_id : *","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"type":"object","properties":{"filterQuery":{"nullable":true,"type":"object","properties":{"kuery":{"nullable":true,"type":"object","properties":{"expression":{"nullable":true,"type":"string"},"kind":{"nullable":true,"type":"string"}}},"serializedQuery":{"nullable":true,"type":"string"}}}}},"Security_Timeline_API_Sort":{"oneOf":[{"$ref":"#/components/schemas/Security_Timeline_API_SortObject"},{"items":{"$ref":"#/components/schemas/Security_Timeline_API_SortObject"},"type":"array"}]},"Security_Timeline_API_SortFieldTimeline":{"description":"The field to sort the timelines by.","enum":["title","description","updated","created"],"type":"string"},"Security_Timeline_API_SortObject":{"description":"Object indicating how rows are sorted in the Timeline's grid","example":{"columnId":"@timestamp","sortDirection":"desc"},"type":"object","properties":{"columnId":{"nullable":true,"type":"string"},"columnType":{"nullable":true,"type":"string"},"sortDirection":{"nullable":true,"type":"string"}}},"Security_Timeline_API_TimelineResponse":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId"},{"type":"object","properties":{"eventIdToNoteIds":{"description":"A list of all the notes that are associated to this Timeline.","items":{"$ref":"#/components/schemas/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"noteIds":{"description":"A list of all the ids of notes that are associated to this Timeline.","example":["709f99c6-89b6-4953-9160-35945c8e174e"],"items":{"type":"string"},"nullable":true,"type":"array"},"notes":{"description":"A list of all the notes that are associated to this Timeline.","items":{"$ref":"#/components/schemas/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"pinnedEventIds":{"description":"A list of all the ids of pinned events that are associated to this Timeline.","example":["983f99c6-89b6-4953-9160-35945c8a194f"],"items":{"type":"string"},"nullable":true,"type":"array"},"pinnedEventsSaveObject":{"description":"A list of all the pinned events that are associated to this Timeline.","items":{"$ref":"#/components/schemas/Security_Timeline_API_PinnedEvent"},"nullable":true,"type":"array"}}}]},"Security_Timeline_API_TimelineSavedToReturnObject":{"allOf":[{"$ref":"#/components/schemas/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"eventIdToNoteIds":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"noteIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"notes":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"pinnedEventIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"pinnedEventsSaveObject":{"items":{"$ref":"#/components/schemas/Security_Timeline_API_PinnedEvent"},"nullable":true,"type":"array"},"savedObjectId":{"type":"string"},"version":{"type":"string"}},"required":["savedObjectId","version"]}]},"Security_Timeline_API_TimelineStatus":{"description":"The status of the Timeline.","enum":["active","draft","immutable"],"type":"string"},"Security_Timeline_API_TimelineType":{"description":"The type of Timeline.","enum":["default","template"],"type":"string"},"Short_URL_APIs_urlResponse":{"type":"object","properties":{"accessCount":{"type":"integer"},"accessDate":{"type":"string"},"createDate":{"type":"string"},"id":{"description":"The identifier for the short URL.","type":"string"},"locator":{"type":"object","properties":{"id":{"description":"The identifier for the locator.","type":"string"},"state":{"description":"The locator parameters.","type":"object"},"version":{"description":"The version of Kibana when the short URL was created.","type":"string"}}},"slug":{"description":"A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated.\n","type":"string"}}},"SLOs_400_response":{"title":"Bad request","type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid value 'foo' supplied to: [...]","type":"string"},"statusCode":{"example":400,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_401_response":{"title":"Unauthorized","type":"object","properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"example":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]","type":"string"},"statusCode":{"example":401,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_403_response":{"title":"Unauthorized","type":"object","properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"example":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]","type":"string"},"statusCode":{"example":403,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_404_response":{"title":"Not found","type":"object","properties":{"error":{"example":"Not Found","type":"string"},"message":{"example":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","type":"string"},"statusCode":{"example":404,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_409_response":{"title":"Conflict","type":"object","properties":{"error":{"example":"Conflict","type":"string"},"message":{"example":"SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists","type":"string"},"statusCode":{"example":409,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_artifacts":{"description":"Links to related assets for the SLO","properties":{"dashboards":{"description":"Array of dashboard references","items":{"type":"object","properties":{"id":{"description":"Dashboard saved-object id","type":"string"}},"required":["id"]},"type":"array"}},"title":"Artifacts","type":"object"},"SLOs_budgeting_method":{"description":"The budgeting method to use when computing the rollup data.","enum":["occurrences","timeslices"],"example":"occurrences","title":"Budgeting method","type":"string"},"SLOs_bulk_delete_request":{"description":"The bulk delete SLO request takes a list of SLOs Definition id to delete.\n","properties":{"list":{"description":"An array of SLO Definition id","items":{"description":"The SLO Definition id","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"type":"array"}},"required":["list"],"title":"Bulk delete SLO request","type":"object"},"SLOs_bulk_delete_response":{"description":"The bulk delete SLO response returns a taskId that can be used to poll for its status\n","properties":{"taskId":{"description":"The taskId of the bulk delete operation","example":"d08506b7-f0e8-4f8b-a06a-a83940f4db91","type":"string"}},"title":"Bulk delete SLO response","type":"object"},"SLOs_bulk_delete_status_response":{"description":"Indicates if the bulk deletion is completed, with the detailed results of the operation.","properties":{"error":{"description":"The error message if the bulk deletion operation failed","example":"Task not found","type":"string"},"isDone":{"description":"Indicates if the bulk deletion operation is completed","example":true,"type":"boolean"},"results":{"description":"The results of the bulk deletion operation, including the success status and any errors for each SLO","items":{"type":"object","properties":{"error":{"description":"The error message if the deletion operation failed for this SLO","example":"SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found","type":"string"},"id":{"description":"The ID of the SLO that was deleted","example":"d08506b7-f0e8-4f8b-a06a-a83940f4db91","type":"string"},"success":{"description":"The result of the deletion operation for this SLO","example":true,"type":"boolean"}}},"type":"array"}},"title":"The status of the bulk deletion","type":"object"},"SLOs_bulk_purge_rollup_request":{"description":"The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated.\n","properties":{"list":{"description":"An array of slo ids","items":{"description":"The SLO Definition id","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"type":"array"},"purgePolicy":{"description":"Policy that dictates which SLI documents to purge based on age","oneOf":[{"type":"object","properties":{"age":{"description":"The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided.","example":"7d","type":"string"},"purgeType":{"description":"Specifies whether documents will be purged based on a specific age or on a timestamp","enum":["fixed-age"],"type":"string"}}},{"type":"object","properties":{"purgeType":{"description":"Specifies whether documents will be purged based on a specific age or on a timestamp","enum":["fixed-time"],"type":"string"},"timestamp":{"description":"The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided.","example":"2024-12-31T00:00:00.000Z","type":"string"}}}],"type":"object"}},"required":["list","purgePolicy"],"title":"Bulk Purge Rollup data request","type":"object"},"SLOs_bulk_purge_rollup_response":{"description":"The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response.\n","properties":{"taskId":{"description":"The task id of the purge operation","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"title":"Bulk Purge Rollup data response","type":"object"},"SLOs_create_slo_request":{"description":"The create SLO API request body varies depending on the type of indicator, time window and budgeting method.\n","properties":{"artifacts":{"$ref":"#/components/schemas/SLOs_artifacts"},"budgetingMethod":{"$ref":"#/components/schemas/SLOs_budgeting_method"},"description":{"description":"A description for the SLO.","type":"string"},"groupBy":{"$ref":"#/components/schemas/SLOs_group_by"},"id":{"description":"A optional and unique identifier for the SLO. Must be between 8 and 36 chars","example":"my-super-slo-id","type":"string"},"indicator":{"oneOf":[{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_kql"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_availability"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_latency"},{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_metric"},{"$ref":"#/components/schemas/SLOs_indicator_properties_histogram"},{"$ref":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"A name for the SLO.","type":"string"},"objective":{"$ref":"#/components/schemas/SLOs_objective"},"settings":{"$ref":"#/components/schemas/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#/components/schemas/SLOs_time_window"}},"required":["name","description","indicator","timeWindow","budgetingMethod","objective"],"title":"Create SLO request","type":"object"},"SLOs_create_slo_response":{"title":"Create SLO response","type":"object","properties":{"id":{"example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"required":["id"]},"SLOs_delete_slo_instances_request":{"description":"The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated.\n","properties":{"list":{"description":"An array of slo id and instance id","items":{"type":"object","properties":{"instanceId":{"description":"The SLO instance identifier","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"sloId":{"description":"The SLO unique identifier","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"required":["sloId","instanceId"]},"type":"array"}},"required":["list"],"title":"Delete SLO instances request","type":"object"},"SLOs_error_budget":{"title":"Error budget","type":"object","properties":{"consumed":{"description":"The error budget consummed, as a percentage of the initial value.","example":0.8,"type":"number"},"initial":{"description":"The initial error budget, as 1 - objective","example":0.02,"type":"number"},"isEstimated":{"description":"Only for SLO defined with occurrences budgeting method and calendar aligned time window.","example":true,"type":"boolean"},"remaining":{"description":"The error budget remaining, as a percentage of the initial value.","example":0.2,"type":"number"}},"required":["initial","consumed","remaining","isEstimated"]},"SLOs_filter":{"description":"Defines properties for a filter","properties":{"meta":{"$ref":"#/components/schemas/SLOs_filter_meta"},"query":{"type":"object"}},"title":"Filter","type":"object"},"SLOs_filter_meta":{"description":"Defines properties for a filter","properties":{"alias":{"nullable":true,"type":"string"},"controlledBy":{"type":"string"},"disabled":{"type":"boolean"},"field":{"type":"string"},"group":{"type":"string"},"index":{"type":"string"},"isMultiIndex":{"type":"boolean"},"key":{"type":"string"},"negate":{"type":"boolean"},"params":{"type":"object"},"type":{"type":"string"},"value":{"type":"string"}},"title":"FilterMeta","type":"object"},"SLOs_find_slo_definitions_response":{"description":"A paginated response of SLO definitions matching the query.\n","oneOf":[{"type":"object","properties":{"page":{"example":1,"type":"number"},"perPage":{"example":25,"type":"number"},"results":{"items":{"$ref":"#/components/schemas/SLOs_slo_with_summary_response"},"type":"array"},"total":{"example":34,"type":"number"}}},{"type":"object","properties":{"page":{"default":1,"description":"for backward compability","type":"number"},"perPage":{"description":"for backward compability","example":25,"type":"number"},"results":{"items":{"$ref":"#/components/schemas/SLOs_slo_with_summary_response"},"type":"array"},"searchAfter":{"description":"the cursor to provide to get the next paged results","example":["some-slo-id","other-cursor-id"],"items":{"type":"string"},"type":"array"},"size":{"example":25,"type":"number"},"total":{"example":34,"type":"number"}}}],"title":"Find SLO definitions response","type":"object"},"SLOs_find_slo_response":{"description":"A paginated response of SLOs matching the query.\n","properties":{"page":{"example":1,"type":"number"},"perPage":{"example":25,"type":"number"},"results":{"items":{"$ref":"#/components/schemas/SLOs_slo_with_summary_response"},"type":"array"},"searchAfter":{"type":"string"},"size":{"description":"Size provided for cursor based pagination","example":25,"type":"number"},"total":{"example":34,"type":"number"}},"title":"Find SLO response","type":"object"},"SLOs_group_by":{"description":"optional group by field or fields to use to generate an SLO per distinct value","example":[["service.name"],"service.name",["service.name","service.environment"]],"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}],"title":"Group by"},"SLOs_indicator_properties_apm_availability":{"description":"Defines properties for the APM availability indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"environment":{"description":"The APM service environment or \"*\"","example":"production","type":"string"},"filter":{"description":"KQL query used for filtering the data","example":"service.foo : \"bar\"","type":"string"},"index":{"description":"The index used by APM metrics","example":"metrics-apm*,apm*","type":"string"},"service":{"description":"The APM service name","example":"o11y-app","type":"string"},"transactionName":{"description":"The APM transaction name or \"*\"","example":"GET /my/api","type":"string"},"transactionType":{"description":"The APM transaction type or \"*\"","example":"request","type":"string"}},"required":["service","environment","transactionType","transactionName","index"]},"type":{"description":"The type of indicator.","example":"sli.apm.transactionDuration","type":"string"}},"required":["type","params"],"title":"APM availability"},"SLOs_indicator_properties_apm_latency":{"description":"Defines properties for the APM latency indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"environment":{"description":"The APM service environment or \"*\"","example":"production","type":"string"},"filter":{"description":"KQL query used for filtering the data","example":"service.foo : \"bar\"","type":"string"},"index":{"description":"The index used by APM metrics","example":"metrics-apm*,apm*","type":"string"},"service":{"description":"The APM service name","example":"o11y-app","type":"string"},"threshold":{"description":"The latency threshold in milliseconds","example":250,"type":"number"},"transactionName":{"description":"The APM transaction name or \"*\"","example":"GET /my/api","type":"string"},"transactionType":{"description":"The APM transaction type or \"*\"","example":"request","type":"string"}},"required":["service","environment","transactionType","transactionName","index","threshold"]},"type":{"description":"The type of indicator.","example":"sli.apm.transactionDuration","type":"string"}},"required":["type","params"],"title":"APM latency"},"SLOs_indicator_properties_custom_kql":{"description":"Defines properties for a custom query indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"$ref":"#/components/schemas/SLOs_kql_with_filters"},"good":{"$ref":"#/components/schemas/SLOs_kql_with_filters_good"},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"$ref":"#/components/schemas/SLOs_kql_with_filters_total"}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.kql.custom","type":"string"}},"required":["type","params"],"title":"Custom Query"},"SLOs_indicator_properties_custom_metric":{"description":"Defines properties for a custom metric indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"good":{"description":"An object defining the \"good\" metrics and equation\n","type":"object","properties":{"equation":{"description":"The equation to calculate the \"good\" metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"oneOf":[{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"]},{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"]}]},"type":"array"}},"required":["metrics","equation"]},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"description":"An object defining the \"total\" metrics and equation\n","type":"object","properties":{"equation":{"description":"The equation to calculate the \"total\" metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"oneOf":[{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"]},{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"]}]},"type":"array"}},"required":["metrics","equation"]}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.metric.custom","type":"string"}},"required":["type","params"],"title":"Custom metric"},"SLOs_indicator_properties_histogram":{"description":"Defines properties for a histogram indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"good":{"description":"An object defining the \"good\" events\n","type":"object","properties":{"aggregation":{"description":"The type of aggregation to use.","enum":["value_count","range"],"example":"value_count","type":"string"},"field":{"description":"The field use to aggregate the good events.","example":"processor.latency","type":"string"},"filter":{"description":"The filter for good events.","example":"processor.outcome: \"success\"","type":"string"},"from":{"description":"The starting value of the range. Only required for \"range\" aggregations.","example":0,"type":"number"},"to":{"description":"The ending value of the range. Only required for \"range\" aggregations.","example":100,"type":"number"}},"required":["aggregation","field"]},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"description":"An object defining the \"total\" events\n","type":"object","properties":{"aggregation":{"description":"The type of aggregation to use.","enum":["value_count","range"],"example":"value_count","type":"string"},"field":{"description":"The field use to aggregate the good events.","example":"processor.latency","type":"string"},"filter":{"description":"The filter for total events.","example":"processor.outcome : *","type":"string"},"from":{"description":"The starting value of the range. Only required for \"range\" aggregations.","example":0,"type":"number"},"to":{"description":"The ending value of the range. Only required for \"range\" aggregations.","example":100,"type":"number"}},"required":["aggregation","field"]}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.histogram.custom","type":"string"}},"required":["type","params"],"title":"Histogram indicator"},"SLOs_indicator_properties_timeslice_metric":{"description":"Defines properties for a timeslice metric indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"metric":{"description":"An object defining the metrics, equation, and threshold to determine if it's a good slice or not\n","type":"object","properties":{"comparator":{"description":"The comparator to use to compare the equation to the threshold.","enum":["GT","GTE","LT","LTE"],"example":"GT","type":"string"},"equation":{"description":"The equation to calculate the metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"anyOf":[{"$ref":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field"},{"$ref":"#/components/schemas/SLOs_timeslice_metric_percentile_metric"},{"$ref":"#/components/schemas/SLOs_timeslice_metric_doc_count_metric"}],"discriminator":{"mapping":{"avg":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","cardinality":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","doc_count":"#/components/schemas/SLOs_timeslice_metric_doc_count_metric","last_value":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","max":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","min":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","percentile":"#/components/schemas/SLOs_timeslice_metric_percentile_metric","std_deviation":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field","sum":"#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field"},"propertyName":"aggregation"}},"type":"array"},"threshold":{"description":"The threshold used to determine if the metric is a good slice or not.","example":100,"type":"number"}},"required":["metrics","equation","comparator","threshold"]},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"}},"required":["index","timestampField","metric"]},"type":{"description":"The type of indicator.","example":"sli.metric.timeslice","type":"string"}},"required":["type","params"],"title":"Timeslice metric"},"SLOs_kql_with_filters":{"description":"Defines properties for a filter","oneOf":[{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#/components/schemas/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL with filters"},"SLOs_kql_with_filters_good":{"description":"The KQL query used to define the good events.","oneOf":[{"description":"the KQL query to filter the documents with.","example":"request.latency \u003c= 150 and request.status_code : \"2xx\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#/components/schemas/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL query for good events"},"SLOs_kql_with_filters_total":{"description":"The KQL query used to define all events.","oneOf":[{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#/components/schemas/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL query for all events"},"SLOs_objective":{"description":"Defines properties for the SLO objective","type":"object","properties":{"target":{"description":"the target objective between 0 and 1 excluded","example":0.99,"exclusiveMaximum":true,"exclusiveMinimum":true,"maximum":100,"minimum":0,"type":"number"},"timesliceTarget":{"description":"the target objective for each slice when using a timeslices budgeting method","example":0.995,"maximum":100,"minimum":0,"type":"number"},"timesliceWindow":{"description":"the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}","example":"5m","type":"string"}},"required":["target"],"title":"Objective"},"SLOs_settings":{"description":"Defines properties for SLO settings.","properties":{"frequency":{"default":"1m","description":"The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.","example":"5m","type":"string"},"preventInitialBackfill":{"default":false,"description":"Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.","example":true,"type":"boolean"},"syncDelay":{"default":"1m","description":"The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.","example":"5m","type":"string"},"syncField":{"description":"The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.","example":"event.ingested","type":"string"}},"title":"Settings","type":"object"},"SLOs_slo_definition_response":{"title":"SLO definition response","type":"object","properties":{"artifacts":{"$ref":"#/components/schemas/SLOs_artifacts"},"budgetingMethod":{"$ref":"#/components/schemas/SLOs_budgeting_method"},"createdAt":{"description":"The creation date","example":"2023-01-12T10:03:19.000Z","type":"string"},"description":{"description":"The description of the SLO.","example":"My SLO description","type":"string"},"enabled":{"description":"Indicate if the SLO is enabled","example":true,"type":"boolean"},"groupBy":{"$ref":"#/components/schemas/SLOs_group_by"},"id":{"description":"The identifier of the SLO.","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"indicator":{"discriminator":{"mapping":{"sli.apm.transactionDuration":"#/components/schemas/SLOs_indicator_properties_apm_latency","sli.apm.transactionErrorRate":"#/components/schemas/SLOs_indicator_properties_apm_availability","sli.histogram.custom":"#/components/schemas/SLOs_indicator_properties_histogram","sli.kql.custom":"#/components/schemas/SLOs_indicator_properties_custom_kql","sli.metric.custom":"#/components/schemas/SLOs_indicator_properties_custom_metric","sli.metric.timeslice":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_kql"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_availability"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_latency"},{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_metric"},{"$ref":"#/components/schemas/SLOs_indicator_properties_histogram"},{"$ref":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"The name of the SLO.","example":"My Service SLO","type":"string"},"objective":{"$ref":"#/components/schemas/SLOs_objective"},"revision":{"description":"The SLO revision","example":2,"type":"number"},"settings":{"$ref":"#/components/schemas/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#/components/schemas/SLOs_time_window"},"updatedAt":{"description":"The last update date","example":"2023-01-12T10:03:19.000Z","type":"string"},"version":{"description":"The internal SLO version","example":2,"type":"number"}},"required":["id","name","description","indicator","timeWindow","budgetingMethod","objective","settings","revision","enabled","groupBy","tags","createdAt","updatedAt","version"]},"SLOs_slo_with_summary_response":{"title":"SLO response","type":"object","properties":{"budgetingMethod":{"$ref":"#/components/schemas/SLOs_budgeting_method"},"createdAt":{"description":"The creation date","example":"2023-01-12T10:03:19.000Z","type":"string"},"description":{"description":"The description of the SLO.","example":"My SLO description","type":"string"},"enabled":{"description":"Indicate if the SLO is enabled","example":true,"type":"boolean"},"groupBy":{"$ref":"#/components/schemas/SLOs_group_by"},"id":{"description":"The identifier of the SLO.","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"indicator":{"discriminator":{"mapping":{"sli.apm.transactionDuration":"#/components/schemas/SLOs_indicator_properties_apm_latency","sli.apm.transactionErrorRate":"#/components/schemas/SLOs_indicator_properties_apm_availability","sli.histogram.custom":"#/components/schemas/SLOs_indicator_properties_histogram","sli.kql.custom":"#/components/schemas/SLOs_indicator_properties_custom_kql","sli.metric.custom":"#/components/schemas/SLOs_indicator_properties_custom_metric","sli.metric.timeslice":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"},"propertyName":"type"},"oneOf":[{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_kql"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_availability"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_latency"},{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_metric"},{"$ref":"#/components/schemas/SLOs_indicator_properties_histogram"},{"$ref":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"}]},"instanceId":{"description":"the value derived from the groupBy field, if present, otherwise '*'","example":"host-abcde","type":"string"},"name":{"description":"The name of the SLO.","example":"My Service SLO","type":"string"},"objective":{"$ref":"#/components/schemas/SLOs_objective"},"revision":{"description":"The SLO revision","example":2,"type":"number"},"settings":{"$ref":"#/components/schemas/SLOs_settings"},"summary":{"$ref":"#/components/schemas/SLOs_summary"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#/components/schemas/SLOs_time_window"},"updatedAt":{"description":"The last update date","example":"2023-01-12T10:03:19.000Z","type":"string"},"version":{"description":"The internal SLO version","example":2,"type":"number"}},"required":["id","name","description","indicator","timeWindow","budgetingMethod","objective","settings","revision","summary","enabled","groupBy","instanceId","tags","createdAt","updatedAt","version"]},"SLOs_summary":{"description":"The SLO computed data","properties":{"errorBudget":{"$ref":"#/components/schemas/SLOs_error_budget"},"sliValue":{"example":0.9836,"type":"number"},"status":{"$ref":"#/components/schemas/SLOs_summary_status"}},"required":["status","sliValue","errorBudget"],"title":"Summary","type":"object"},"SLOs_summary_status":{"enum":["NO_DATA","HEALTHY","DEGRADING","VIOLATED"],"example":"HEALTHY","title":"summary status","type":"string"},"SLOs_time_window":{"description":"Defines properties for the SLO time window","type":"object","properties":{"duration":{"description":"the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)","example":"30d","type":"string"},"type":{"description":"Indicates weither the time window is a rolling or a calendar aligned time window.","enum":["rolling","calendarAligned"],"example":"rolling","type":"string"}},"required":["duration","type"],"title":"Time window"},"SLOs_timeslice_metric_basic_metric_with_field":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum","avg","min","max","std_deviation","last_value","cardinality"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"],"title":"Timeslice Metric Basic Metric with Field"},"SLOs_timeslice_metric_doc_count_metric":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric. Only valid option is \"doc_count\"","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"],"title":"Timeslice Metric Doc Count Metric"},"SLOs_timeslice_metric_percentile_metric":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric. Only valid option is \"percentile\"","enum":["percentile"],"example":"percentile","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"},"percentile":{"description":"The percentile value.","example":95,"type":"number"}},"required":["name","aggregation","field","percentile"],"title":"Timeslice Metric Percentile Metric"},"SLOs_update_slo_request":{"description":"The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled.\n","properties":{"artifacts":{"$ref":"#/components/schemas/SLOs_artifacts"},"budgetingMethod":{"$ref":"#/components/schemas/SLOs_budgeting_method"},"description":{"description":"A description for the SLO.","type":"string"},"groupBy":{"$ref":"#/components/schemas/SLOs_group_by"},"indicator":{"oneOf":[{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_kql"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_availability"},{"$ref":"#/components/schemas/SLOs_indicator_properties_apm_latency"},{"$ref":"#/components/schemas/SLOs_indicator_properties_custom_metric"},{"$ref":"#/components/schemas/SLOs_indicator_properties_histogram"},{"$ref":"#/components/schemas/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"A name for the SLO.","type":"string"},"objective":{"$ref":"#/components/schemas/SLOs_objective"},"settings":{"$ref":"#/components/schemas/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#/components/schemas/SLOs_time_window"}},"title":"Update SLO request","type":"object"},"Synthetics_browserMonitorFields":{"allOf":[{"$ref":"#/components/schemas/Synthetics_commonMonitorFields"},{"additionalProperties":true,"type":"object","properties":{"ignore_https_errors":{"default":false,"description":"Ignore HTTPS errors.","type":"boolean"},"inline_script":{"description":"The inline script.","type":"string"},"playwright_options":{"description":"Playwright options.","type":"object"},"screenshots":{"default":"on","description":"The screenshot option.","enum":["on","off","only-on-failure"],"type":"string"},"synthetics_args":{"description":"Synthetics agent CLI arguments.","items":{"type":"string"},"type":"array"},"type":{"description":"The monitor type.","enum":["browser"],"type":"string"}},"required":["inline_script","type"]}],"title":"Browser monitor fields"},"Synthetics_commonMonitorFields":{"title":"Common monitor fields","type":"object","properties":{"alert":{"description":"The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`.\n","type":"object"},"enabled":{"default":true,"description":"Specify whether the monitor is enabled.","type":"boolean"},"labels":{"additionalProperties":{"type":"string"},"description":"Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors.\n","type":"object"},"locations":{"description":"The location to deploy the monitor.\nMonitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations.\nTo list available locations you can:\n\n- Run the `elastic-synthetics locations` command with the deployment's Kibana URL.\n- Go to *Synthetics \u003e Management* and click *Create monitor*. Locations will be listed in *Locations*.\n","externalDocs":{"url":"https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts"},"items":{"type":"string"},"type":"array"},"name":{"description":"The monitor name.","type":"string"},"namespace":{"default":"default","description":"The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\\`, `/`, `?`, `\"`, `\u003c`, `\u003e`, `|`, whitespace, `,`, `#`, `:`, or `-`.\n","type":"string"},"params":{"description":"The monitor parameters.","type":"string"},"private_locations":{"description":"The private locations to which the monitors will be deployed.\nThese private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic.\nYou can specify a private location using the location's name.\nTo list available private locations you can:\n\n- Run the `elastic-synthetics locations` command with the deployment's Kibana URL.\n- Go to *Synthetics \u003e Settings* and click *Private locationsr*. Private locations will be listed in the table.\n\n\u003e info\n\u003e You can provide `locations` or `private_locations` or both. At least one is required.\n","items":{"type":"string"},"type":"array"},"retest_on_failure":{"default":true,"description":"Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from \"up\" to \"down\". If the result of the retest is also \"down\", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems.\n","type":"boolean"},"schedule":{"description":"The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors.\n","type":"number"},"service.name":{"description":"The APM service name.","type":"string"},"tags":{"description":"An array of tags.","items":{"type":"string"},"type":"array"},"timeout":{"default":16,"description":"The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time.\n","type":"number"}},"required":["name"]},"Synthetics_getParameterResponse":{"title":"Get parameter response","type":"object","properties":{"description":{"description":"The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.\n","type":"string"},"id":{"description":"The unique identifier of the parameter.","type":"string"},"key":{"description":"The key of the parameter.","type":"string"},"namespaces":{"description":"The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.\n","items":{"type":"string"},"type":"array"},"tags":{"description":"An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.\n","items":{"type":"string"},"type":"array"},"value":{"description":"The value associated with the parameter. It will be included in the response if the user has write permissions.  \n","type":"string"}}},"Synthetics_getPrivateLocation":{"additionalProperties":true,"properties":{"agentPolicyId":{"description":"The ID of the agent policy associated with the private location.","type":"string"},"geo":{"description":"Geographic coordinates (WGS84) for the location.","type":"object","properties":{"lat":{"description":"The latitude of the location.","type":"number"},"lon":{"description":"The longitude of the location.","type":"number"}},"required":["lat","lon"]},"id":{"description":"The unique identifier of the private location.","type":"string"},"isInvalid":{"description":"Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted.\n","type":"boolean"},"label":{"description":"A label for the private location.","type":"string"},"namespace":{"description":"The namespace of the location, which is the same as the namespace of the agent policy associated with the location.","type":"string"}},"title":"Post a private location","type":"object"},"Synthetics_httpMonitorFields":{"allOf":[{"$ref":"#/components/schemas/Synthetics_commonMonitorFields"},{"additionalProperties":true,"type":"object","properties":{"check":{"description":"The check request settings.","type":"object","properties":{"request":{"description":"An optional request to send to the remote host.","type":"object","properties":{"body":{"description":"Optional request body content.","type":"string"},"headers":{"description":"A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself.\n","type":"object"},"method":{"description":"The HTTP method to use.","enum":["HEAD","GET","POST","OPTIONS"],"type":"string"}}},"response":{"additionalProperties":true,"description":"The expected response.","type":"object","properties":{"body":{"type":"object"},"headers":{"description":"A dictionary of expected HTTP headers. If the header is not found, the check fails.","type":"object"}}}}},"ipv4":{"default":true,"description":"If `true`, ping using the ipv4 protocol.","type":"boolean"},"ipv6":{"default":true,"description":"If `true`, ping using the ipv6 protocol.","type":"boolean"},"max_redirects":{"default":0,"description":"The maximum number of redirects to follow.","type":"number"},"mode":{"default":"any","description":"The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`.\n","enum":["all","any"],"type":"string"},"password":{"description":"The password for authenticating with the server. The credentials are passed with the request.\n","type":"string"},"proxy_headers":{"description":"Additional headers to send to proxies during CONNECT requests.","type":"object"},"proxy_url":{"description":"The URL of the proxy to use for this monitor.","type":"string"},"response":{"description":"Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`.","type":"object"},"ssl":{"description":"The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used.\n","type":"object"},"type":{"description":"The monitor type.","enum":["http"],"type":"string"},"url":{"description":"The URL to monitor.","type":"string"},"username":{"description":"The username for authenticating with the server. The credentials are passed with the request.\n","type":"string"}},"required":["type","url"]}],"title":"HTTP monitor fields"},"Synthetics_icmpMonitorFields":{"allOf":[{"$ref":"#/components/schemas/Synthetics_commonMonitorFields"},{"additionalProperties":true,"type":"object","properties":{"host":{"description":"The host to ping.","type":"string"},"type":{"description":"The monitor type.","enum":["icmp"],"type":"string"},"wait":{"default":1,"description":"The wait time in seconds.","type":"number"}},"required":["host","type"]}],"title":"ICMP monitor fields"},"Synthetics_parameterRequest":{"title":"Parameter request","type":"object","properties":{"description":{"description":"A description of the parameter.","type":"string"},"key":{"description":"The key of the parameter.","type":"string"},"share_across_spaces":{"description":"Specify whether the parameter should be shared across spaces.","type":"boolean"},"tags":{"description":"An array of tags to categorize the parameter.","items":{"type":"string"},"type":"array"},"value":{"description":"The value associated with the parameter.","type":"string"}},"required":["key","value"]},"Synthetics_postParameterResponse":{"title":"Post parameter response","type":"object","properties":{"description":{"description":"A description of the parameter.","type":"string"},"id":{"description":"The unique identifier for the parameter.","type":"string"},"key":{"description":"The parameter key.","type":"string"},"share_across_spaces":{"description":"Indicates whether the parameter is shared across spaces.","type":"boolean"},"tags":{"description":"An array of tags associated with the parameter.","items":{"type":"string"},"type":"array"},"value":{"description":"The value associated with the parameter.","type":"string"}}},"Synthetics_tcpMonitorFields":{"allOf":[{"$ref":"#/components/schemas/Synthetics_commonMonitorFields"},{"additionalProperties":true,"type":"object","properties":{"host":{"description":"The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example \"example.com:9200\".\n","type":"string"},"proxy_url":{"description":"The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option.\n","type":"string"},"proxy_use_local_resolver":{"default":false,"description":"Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server.\n","type":"boolean"},"ssl":{"description":"The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used.\n","type":"object"},"type":{"description":"The monitor type.","enum":["tcp"],"type":"string"}},"required":["host","type"]}],"title":"TCP monitor fields"},"Task_manager_health_APIs_configuration":{"description":"This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system.\n","type":"object"},"Task_manager_health_APIs_health_response":{"title":"Task health response properties","type":"object","properties":{"id":{"type":"string"},"last_update":{"type":"string"},"stats":{"type":"object","properties":{"capacity_estimation":{"description":"This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions.\n","type":"object"},"configuration":{"$ref":"#/components/schemas/Task_manager_health_APIs_configuration"},"runtime":{"description":"This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results.\n","type":"object"},"workload":{"$ref":"#/components/schemas/Task_manager_health_APIs_workload"}}},"status":{"type":"string"},"timestamp":{"type":"string"}}},"Task_manager_health_APIs_workload":{"description":"This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status.\n","type":"object"},"bedrock_config":{"title":"Connector request properties for an Amazon Bedrock connector","description":"Defines properties for connectors when type is `.bedrock`.","type":"object","required":["apiUrl"],"properties":{"apiUrl":{"type":"string","description":"The Amazon Bedrock request URL."},"region":{"type":"string","description":"Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`).\n"},"defaultModel":{"type":"string","description":"The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.\n","default":"us.anthropic.claude-sonnet-4-5-20250929-v1:0"}}},"crowdstrike_config":{"title":"Connector request config properties for a Crowdstrike connector","required":["url"],"description":"Defines config properties for connectors when type is `.crowdstrike`.","type":"object","properties":{"url":{"description":"The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"d3security_config":{"title":"Connector request properties for a D3 Security connector","description":"Defines properties for connectors when type is `.d3security`.","type":"object","required":["url"],"properties":{"url":{"type":"string","description":"The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"email_config":{"title":"Connector request properties for an email connector","description":"Defines properties for connectors when type is `.email`.","required":["from"],"type":"object","properties":{"clientId":{"description":"The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.\n","type":"string","nullable":true},"from":{"description":"The from address for all emails sent by the connector. It must be specified in `user@host-name` format.\n","type":"string"},"hasAuth":{"description":"Specifies whether a user and password are required inside the secrets configuration.\n","default":true,"type":"boolean"},"host":{"description":"The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.\n","type":"string"},"oauthTokenUrl":{"type":"string","nullable":true},"port":{"description":"The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.\n","type":"integer"},"secure":{"description":"Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.\n","type":"boolean"},"service":{"description":"The name of the email service.\n","type":"string","enum":["elastic_cloud","exchange_server","gmail","other","outlook365","ses"]},"tenantId":{"description":"The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.\n","type":"string","nullable":true}}},"gemini_config":{"title":"Connector request properties for an Google Gemini connector","description":"Defines properties for connectors when type is `.gemini`.","type":"object","required":["apiUrl","gcpRegion","gcpProjectID"],"properties":{"apiUrl":{"type":"string","description":"The Google Gemini request URL."},"defaultModel":{"type":"string","description":"The generative artificial intelligence model for Google Gemini to use.","default":"gemini-2.5-pro"},"gcpRegion":{"type":"string","description":"The GCP region where the Vertex AI endpoint enabled."},"gcpProjectID":{"type":"string","description":"The Google ProjectID that has Vertex AI endpoint enabled."}}},"resilient_config":{"title":"Connector request properties for a IBM Resilient connector","required":["apiUrl","orgId"],"description":"Defines properties for connectors when type is `.resilient`.","type":"object","properties":{"apiUrl":{"description":"The IBM Resilient instance URL.","type":"string"},"orgId":{"description":"The IBM Resilient organization ID.","type":"string"}}},"index_config":{"title":"Connector request properties for an index connector","required":["index"],"description":"Defines properties for connectors when type is `.index`.","type":"object","properties":{"executionTimeField":{"description":"A field that indicates when the document was indexed.","default":null,"type":"string","nullable":true},"index":{"description":"The Elasticsearch index to be written to.","type":"string"},"refresh":{"description":"The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.\n","default":false,"type":"boolean"}}},"jira_config":{"title":"Connector request properties for a Jira connector","required":["apiUrl","projectKey"],"description":"Defines properties for connectors when type is `.jira`.","type":"object","properties":{"apiUrl":{"description":"The Jira instance URL.","type":"string"},"projectKey":{"description":"The Jira project key.","type":"string"}}},"defender_config":{"title":"Connector request properties for a Microsoft Defender for Endpoint connector","required":["apiUrl","projectKey"],"description":"Defines properties for connectors when type is `.microsoft_defender_endpoint`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts.\n"},"clientId":{"type":"string","description":"The application (client) identifier for your app in the Azure portal."},"oAuthScope":{"type":"string","description":"The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API."},"oAuthServerUrl":{"type":"string","description":"The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API."},"tenantId":{"description":"The tenant identifier for your app in the Azure portal.","type":"string"}}},"genai_azure_config":{"title":"Connector request properties for an OpenAI connector that uses Azure OpenAI","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`.\n","type":"object","required":["apiProvider","apiUrl"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["Azure OpenAI"]},"apiUrl":{"type":"string","description":"The OpenAI API endpoint."}}},"genai_openai_config":{"title":"Connector request properties for an OpenAI connector","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`.\n","type":"object","required":["apiProvider","apiUrl"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["OpenAI"]},"apiUrl":{"type":"string","description":"The OpenAI API endpoint."},"defaultModel":{"type":"string","description":"The default model to use for requests."}}},"opsgenie_config":{"title":"Connector request properties for an Opsgenie connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.opsgenie`.","type":"object","properties":{"apiUrl":{"description":"The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"pagerduty_config":{"title":"Connector request properties for a PagerDuty connector","description":"Defines properties for connectors when type is `.pagerduty`.","type":"object","properties":{"apiUrl":{"description":"The PagerDuty event URL.","type":"string","nullable":true,"example":"https://events.pagerduty.com/v2/enqueue"}}},"sentinelone_config":{"title":"Connector request properties for a SentinelOne connector","required":["url"],"description":"Defines properties for connectors when type is `.sentinelone`.","type":"object","properties":{"url":{"description":"The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"servicenow_config":{"title":"Connector request properties for a ServiceNow ITSM connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.servicenow`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The ServiceNow instance URL."},"clientId":{"description":"The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"isOAuth":{"description":"The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).\n","default":false,"type":"boolean"},"jwtKeyId":{"description":"The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"userIdentifierValue":{"description":"The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.\n","type":"string"},"usesTableApi":{"description":"Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors.  NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow.\n","default":true,"type":"boolean"}}},"servicenow_itom_config":{"title":"Connector request properties for a ServiceNow ITOM connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.servicenow-itom`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The ServiceNow instance URL."},"clientId":{"description":"The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"isOAuth":{"description":"The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).\n","default":false,"type":"boolean"},"jwtKeyId":{"description":"The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"userIdentifierValue":{"description":"The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.\n","type":"string"}}},"slack_api_config":{"title":"Connector request properties for a Slack connector","description":"Defines properties for connectors when type is `.slack_api`.","type":"object","properties":{"allowedChannels":{"type":"array","description":"A list of valid Slack channels.","items":{"type":"object","required":["id","name"],"maxItems":25,"properties":{"id":{"type":"string","description":"The Slack channel ID.","example":"C123ABC456","minLength":1},"name":{"type":"string","description":"The Slack channel name.","minLength":1}}}}}},"swimlane_config":{"title":"Connector request properties for a Swimlane connector","required":["apiUrl","appId","connectorType"],"description":"Defines properties for connectors when type is `.swimlane`.","type":"object","properties":{"apiUrl":{"description":"The Swimlane instance URL.","type":"string"},"appId":{"description":"The Swimlane application ID.","type":"string"},"connectorType":{"description":"The type of connector. Valid values are `all`, `alerts`, and `cases`.","type":"string","enum":["all","alerts","cases"]},"mappings":{"title":"Connector mappings properties for a Swimlane connector","description":"The field mapping.","type":"object","properties":{"alertIdConfig":{"title":"Alert identifier mapping","description":"Mapping for the alert ID.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"caseIdConfig":{"title":"Case identifier mapping","description":"Mapping for the case ID.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"caseNameConfig":{"title":"Case name mapping","description":"Mapping for the case name.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"commentsConfig":{"title":"Case comment mapping","description":"Mapping for the case comments.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"descriptionConfig":{"title":"Case description mapping","description":"Mapping for the case description.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"ruleNameConfig":{"title":"Rule name mapping","description":"Mapping for the name of the alert's rule.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"severityConfig":{"title":"Severity mapping","description":"Mapping for the severity.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}}}}}},"thehive_config":{"title":"Connector request properties for a TheHive connector","description":"Defines configuration properties for connectors when type is `.thehive`.","type":"object","required":["url"],"properties":{"organisation":{"type":"string","description":"The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.\n"},"url":{"type":"string","description":"The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"tines_config":{"title":"Connector request properties for a Tines connector","description":"Defines properties for connectors when type is `.tines`.","type":"object","required":["url"],"properties":{"url":{"description":"The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.\n","type":"string"}}},"torq_config":{"title":"Connector request properties for a Torq connector","description":"Defines properties for connectors when type is `.torq`.","type":"object","required":["webhookIntegrationUrl"],"properties":{"webhookIntegrationUrl":{"description":"The endpoint URL of the Elastic Security integration in Torq.","type":"string"}}},"auth_type":{"title":"Authentication type","type":"string","nullable":true,"enum":["webhook-authentication-basic","webhook-authentication-ssl"],"description":"The type of authentication to use: basic, SSL, or none.\n"},"ca":{"title":"Certificate authority","type":"string","description":"A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.\n"},"cert_type":{"title":"Certificate type","type":"string","description":"If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.\n","enum":["ssl-crt-key","ssl-pfx"]},"has_auth":{"title":"Has authentication","type":"boolean","description":"If true, a username and password for login type authentication must be provided.","default":true},"verification_mode":{"title":"Verification mode","type":"string","enum":["certificate","full","none"],"default":"full","description":"Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation.\n"},"webhook_config":{"title":"Connector request properties for a Webhook connector","description":"Defines properties for connectors when type is `.webhook`.","type":"object","properties":{"authType":{"$ref":"#/components/schemas/auth_type"},"ca":{"$ref":"#/components/schemas/ca"},"certType":{"$ref":"#/components/schemas/cert_type"},"hasAuth":{"$ref":"#/components/schemas/has_auth"},"headers":{"type":"object","nullable":true,"description":"A set of key-value pairs sent as headers with the request."},"method":{"type":"string","default":"post","enum":["post","put"],"description":"The HTTP request method, either `post` or `put`.\n"},"url":{"type":"string","description":"The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"},"verificationMode":{"$ref":"#/components/schemas/verification_mode"}}},"cases_webhook_config":{"title":"Connector request properties for Webhook - Case Management connector","required":["createIncidentJson","createIncidentResponseKey","createIncidentUrl","getIncidentResponseExternalTitleKey","getIncidentUrl","updateIncidentJson","updateIncidentUrl","viewIncidentUrl"],"description":"Defines properties for connectors when type is `.cases-webhook`.","type":"object","properties":{"authType":{"$ref":"#/components/schemas/auth_type"},"ca":{"$ref":"#/components/schemas/ca"},"certType":{"$ref":"#/components/schemas/cert_type"},"createCommentJson":{"type":"string","description":"A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.\n","example":"{\"body\": {{{case.comment}}}}"},"createCommentMethod":{"type":"string","description":"The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`.\n","default":"put","enum":["patch","post","put"]},"createCommentUrl":{"type":"string","description":"The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts.\n","example":"https://example.com/issue/{{{external.system.id}}}/comment"},"createIncidentJson":{"type":"string","description":"A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.\n","example":"{\"fields\": {\"summary\": {{{case.title}}},\"description\": {{{case.description}}},\"labels\": {{{case.tags}}}}}"},"createIncidentMethod":{"type":"string","description":"The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`.\n","enum":["patch","post","put"],"default":"post"},"createIncidentResponseKey":{"type":"string","description":"The JSON key in the create external case response that contains the case ID."},"createIncidentUrl":{"type":"string","description":"The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"},"getIncidentResponseExternalTitleKey":{"type":"string","description":"The JSON key in get external case response that contains the case title."},"getIncidentUrl":{"type":"string","description":"The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.\n","example":"https://example.com/issue/{{{external.system.id}}}"},"hasAuth":{"$ref":"#/components/schemas/has_auth"},"headers":{"type":"string","description":"A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.\n"},"updateIncidentJson":{"type":"string","description":"The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.\n","example":"{\"fields\": {\"summary\": {{{case.title}}},\"description\": {{{case.description}}},\"labels\": {{{case.tags}}}}}"},"updateIncidentMethod":{"type":"string","description":"The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`.\n","default":"put","enum":["patch","post","put"]},"updateIncidentUrl":{"type":"string","description":"The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","example":"https://example.com/issue/{{{external.system.ID}}}"},"verificationMode":{"$ref":"#/components/schemas/verification_mode"},"viewIncidentUrl":{"type":"string","description":"The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.\n","example":"https://testing-jira.atlassian.net/browse/{{{external.system.title}}}"}}},"xmatters_config":{"title":"Connector request properties for an xMatters connector","description":"Defines properties for connectors when type is `.xmatters`.","type":"object","properties":{"configUrl":{"description":"The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`.\n","type":"string","nullable":true},"usesBasic":{"description":"Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`).","type":"boolean","default":true}}},"bedrock_secrets":{"title":"Connector secrets properties for an Amazon Bedrock connector","description":"Defines secrets for connectors when type is `.bedrock`.","type":"object","required":["accessKey","secret"],"properties":{"accessKey":{"type":"string","description":"The AWS access key for authentication."},"secret":{"type":"string","description":"The AWS secret for authentication."}}},"crowdstrike_secrets":{"title":"Connector secrets properties for a Crowdstrike connector","description":"Defines secrets for connectors when type is `.crowdstrike`.","type":"object","required":["clientId","clientSecret"],"properties":{"clientId":{"description":"The CrowdStrike API client identifier.","type":"string"},"clientSecret":{"description":"The CrowdStrike API client secret to authenticate the `clientId`.","type":"string"}}},"d3security_secrets":{"title":"Connector secrets properties for a D3 Security connector","description":"Defines secrets for connectors when type is `.d3security`.","required":["token"],"type":"object","properties":{"token":{"type":"string","description":"The D3 Security token."}}},"email_secrets":{"title":"Connector secrets properties for an email connector","description":"Defines secrets for connectors when type is `.email`.","type":"object","properties":{"clientSecret":{"type":"string","description":"The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required.\n"},"password":{"type":"string","description":"The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.\n"}}},"gemini_secrets":{"title":"Connector secrets properties for a Google Gemini connector","description":"Defines secrets for connectors when type is `.gemini`.","type":"object","required":["credentialsJson"],"properties":{"credentialsJson":{"type":"string","description":"The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it."}}},"resilient_secrets":{"title":"Connector secrets properties for IBM Resilient connector","required":["apiKeyId","apiKeySecret"],"description":"Defines secrets for connectors when type is `.resilient`.","type":"object","properties":{"apiKeyId":{"type":"string","description":"The authentication key ID for HTTP Basic authentication."},"apiKeySecret":{"type":"string","description":"The authentication key secret for HTTP Basic authentication."}}},"jira_secrets":{"title":"Connector secrets properties for a Jira connector","required":["apiToken","email"],"description":"Defines secrets for connectors when type is `.jira`.","type":"object","properties":{"apiToken":{"description":"The Jira API authentication token for HTTP basic authentication.","type":"string"},"email":{"description":"The account email for HTTP Basic authentication.","type":"string"}}},"teams_secrets":{"title":"Connector secrets properties for a Microsoft Teams connector","description":"Defines secrets for connectors when type is `.teams`.","type":"object","required":["webhookUrl"],"properties":{"webhookUrl":{"type":"string","description":"The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"genai_secrets":{"title":"Connector secrets properties for an OpenAI connector","description":"Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content.\n","type":"object","properties":{"apiKey":{"type":"string","description":"The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one.\n"},"certificateData":{"type":"string","description":"Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI.\n","minLength":1},"privateKeyData":{"type":"string","description":"Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI.\n","minLength":1},"caData":{"type":"string","description":"Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional.\n","minLength":1}}},"opsgenie_secrets":{"title":"Connector secrets properties for an Opsgenie connector","required":["apiKey"],"description":"Defines secrets for connectors when type is `.opsgenie`.","type":"object","properties":{"apiKey":{"description":"The Opsgenie API authentication key for HTTP Basic authentication.","type":"string"}}},"pagerduty_secrets":{"title":"Connector secrets properties for a PagerDuty connector","description":"Defines secrets for connectors when type is `.pagerduty`.","type":"object","required":["routingKey"],"properties":{"routingKey":{"description":"A 32 character PagerDuty Integration Key for an integration on a service.\n","type":"string"}}},"sentinelone_secrets":{"title":"Connector secrets properties for a SentinelOne connector","description":"Defines secrets for connectors when type is `.sentinelone`.","type":"object","required":["token"],"properties":{"token":{"description":"The A SentinelOne API token.","type":"string"}}},"servicenow_secrets":{"title":"Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors","description":"Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`.","type":"object","properties":{"clientSecret":{"type":"string","description":"The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`."},"password":{"type":"string","description":"The password for HTTP basic authentication. This property is required when `isOAuth` is `false`."},"privateKey":{"type":"string","description":"The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`."},"privateKeyPassword":{"type":"string","description":"The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key."},"username":{"type":"string","description":"The username for HTTP basic authentication. This property is required when `isOAuth` is `false`."}}},"slack_api_secrets":{"title":"Connector secrets properties for a Web API Slack connector","description":"Defines secrets for connectors when type is `.slack`.","required":["token"],"type":"object","properties":{"token":{"type":"string","description":"Slack bot user OAuth token."}}},"swimlane_secrets":{"title":"Connector secrets properties for a Swimlane connector","description":"Defines secrets for connectors when type is `.swimlane`.","type":"object","properties":{"apiToken":{"description":"Swimlane API authentication token.","type":"string"}}},"thehive_secrets":{"title":"Connector secrets properties for a TheHive connector","description":"Defines secrets for connectors when type is `.thehive`.","required":["apiKey"],"type":"object","properties":{"apiKey":{"type":"string","description":"The API key for authentication in TheHive."}}},"tines_secrets":{"title":"Connector secrets properties for a Tines connector","description":"Defines secrets for connectors when type is `.tines`.","type":"object","required":["email","token"],"properties":{"email":{"description":"The email used to sign in to Tines.","type":"string"},"token":{"description":"The Tines API token.","type":"string"}}},"torq_secrets":{"title":"Connector secrets properties for a Torq connector","description":"Defines secrets for connectors when type is `.torq`.","type":"object","required":["token"],"properties":{"token":{"description":"The secret of the webhook authentication header.","type":"string"}}},"crt":{"title":"Certificate","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file."},"key":{"title":"Certificate key","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file."},"pfx":{"title":"Personal information exchange","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file."},"webhook_secrets":{"title":"Connector secrets properties for a Webhook connector","description":"Defines secrets for connectors when type is `.webhook`.","type":"object","properties":{"crt":{"$ref":"#/components/schemas/crt"},"key":{"$ref":"#/components/schemas/key"},"pfx":{"$ref":"#/components/schemas/pfx"},"password":{"type":"string","description":"The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true`  and `authType` is `webhook-authentication-basic`, this property is required.\n"}}},"cases_webhook_secrets":{"title":"Connector secrets properties for Webhook - Case Management connector","type":"object","properties":{"crt":{"$ref":"#/components/schemas/crt"},"key":{"$ref":"#/components/schemas/key"},"pfx":{"$ref":"#/components/schemas/pfx"},"password":{"type":"string","description":"The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.\n"}}},"xmatters_secrets":{"title":"Connector secrets properties for an xMatters connector","description":"Defines secrets for connectors when type is `.xmatters`.","type":"object","properties":{"password":{"description":"A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.\n","type":"string"},"secretsUrl":{"description":"The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`.\n","type":"string"},"user":{"description":"A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.\n","type":"string"}}},"genai_openai_other_config":{"title":"Connector request properties for an OpenAI connector with Other provider","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication.\n","type":"object","required":["apiProvider","apiUrl","defaultModel"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["Other"]},"apiUrl":{"type":"string","description":"The OpenAI-compatible API endpoint."},"defaultModel":{"type":"string","description":"The default model to use for requests."},"certificateData":{"type":"string","description":"PEM-encoded certificate content.","minLength":1},"privateKeyData":{"type":"string","description":"PEM-encoded private key content.","minLength":1},"caData":{"type":"string","description":"PEM-encoded CA certificate content.","minLength":1},"verificationMode":{"type":"string","description":"SSL verification mode for PKI authentication.","enum":["full","certificate","none"],"default":"full"},"headers":{"type":"object","description":"Custom headers to include in requests.","additionalProperties":{"type":"string"}}}},"defender_secrets":{"title":"Connector secrets properties for a Microsoft Defender for Endpoint connector","required":["clientSecret"],"description":"Defines secrets for connectors when type is `..microsoft_defender_endpoint`.","type":"object","properties":{"clientSecret":{"description":"The client secret for your app in the Azure portal.","type":"string"}}},"run_acknowledge_resolve_pagerduty":{"title":"PagerDuty connector parameters","description":"Test an action that acknowledges or resolves a PagerDuty alert.","type":"object","required":["dedupKey","eventAction"],"properties":{"dedupKey":{"description":"The deduplication key for the PagerDuty alert.","type":"string","maxLength":255},"eventAction":{"description":"The type of event.","type":"string","enum":["acknowledge","resolve"]}}},"run_documents":{"title":"Index connector parameters","description":"Test an action that indexes a document into Elasticsearch.","type":"object","required":["documents"],"properties":{"documents":{"type":"array","description":"The documents in JSON format for index connectors.","items":{"type":"object","additionalProperties":true}}}},"run_message_email":{"title":"Email connector parameters","description":"Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`.\n","type":"object","required":["message","subject"],"properties":{"bcc":{"type":"array","items":{"type":"string"},"description":"A list of \"blind carbon copy\" email addresses. Addresses can be specified in `user@host-name` format or in name `\u003cuser@host-name\u003e` format\n"},"cc":{"type":"array","items":{"type":"string"},"description":"A list of \"carbon copy\" email addresses. Addresses can be specified in `user@host-name` format or in name `\u003cuser@host-name\u003e` format \n"},"message":{"type":"string","description":"The email message text. Markdown format is supported."},"subject":{"type":"string","description":"The subject line of the email."},"to":{"type":"array","description":"A list of email addresses. Addresses can be specified in `user@host-name` format or in name `\u003cuser@host-name\u003e` format.\n","items":{"type":"string"}}}},"run_message_serverlog":{"title":"Server log connector parameters","description":"Test an action that writes an entry to the Kibana server log.","type":"object","required":["message"],"properties":{"level":{"type":"string","description":"The log level of the message for server log connectors.","enum":["debug","error","fatal","info","trace","warn"],"default":"info"},"message":{"type":"string","description":"The message for server log connectors."}}},"run_message_slack":{"title":"Slack connector parameters","description":"Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`.\n","type":"object","required":["message"],"properties":{"message":{"type":"string","description":"The Slack message text, which cannot contain Markdown, images, or other advanced formatting."}}},"run_trigger_pagerduty":{"title":"PagerDuty connector parameters","description":"Test an action that triggers a PagerDuty alert.","type":"object","required":["eventAction"],"properties":{"class":{"description":"The class or type of the event.","type":"string","example":"cpu load"},"component":{"description":"The component of the source machine that is responsible for the event.","type":"string","example":"eth0"},"customDetails":{"description":"Additional details to add to the event.","type":"object"},"dedupKey":{"description":"All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.\n","type":"string","maxLength":255},"eventAction":{"description":"The type of event.","type":"string","enum":["trigger"]},"group":{"description":"The logical grouping of components of a service.","type":"string","example":"app-stack"},"links":{"description":"A list of links to add to the event.","type":"array","items":{"type":"object","properties":{"href":{"description":"The URL for the link.","type":"string"},"text":{"description":"A plain text description of the purpose of the link.","type":"string"}}}},"severity":{"description":"The severity of the event on the affected system.","type":"string","enum":["critical","error","info","warning"],"default":"info"},"source":{"description":"The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.\n","type":"string"},"summary":{"description":"A summery of the event.","type":"string","maxLength":1024},"timestamp":{"description":"An ISO-8601 timestamp that indicates when the event was detected or generated.","type":"string","format":"date-time"}}},"run_addevent":{"title":"The addEvent subaction","type":"object","required":["subAction"],"description":"The `addEvent` subaction for ServiceNow ITOM connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["addEvent"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"additional_info":{"type":"string","description":"Additional information about the event."},"description":{"type":"string","description":"The details about the event."},"event_class":{"type":"string","description":"A specific instance of the source."},"message_key":{"type":"string","description":"All actions sharing this key are associated with the same ServiceNow alert. The default value is `\u003crule ID\u003e:\u003calert instance ID\u003e`."},"metric_name":{"type":"string","description":"The name of the metric."},"node":{"type":"string","description":"The host that the event was triggered for."},"resource":{"type":"string","description":"The name of the resource."},"severity":{"type":"string","description":"The severity of the event."},"source":{"type":"string","description":"The name of the event source type."},"time_of_event":{"type":"string","description":"The time of the event."},"type":{"type":"string","description":"The type of event."}}}}},"run_closealert":{"title":"The closeAlert subaction","type":"object","required":["subAction","subActionParams"],"description":"The `closeAlert` subaction for Opsgenie connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["closeAlert"]},"subActionParams":{"type":"object","required":["alias"],"properties":{"alias":{"type":"string","description":"The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert."},"note":{"type":"string","description":"Additional information for the alert."},"source":{"type":"string","description":"The display name for the source of the alert."},"user":{"type":"string","description":"The display name for the owner."}}}}},"run_closeincident":{"title":"The closeIncident subaction","type":"object","required":["subAction","subActionParams"],"description":"The `closeIncident` subaction for ServiceNow ITSM connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["closeIncident"]},"subActionParams":{"type":"object","required":["incident"],"properties":{"incident":{"type":"object","anyOf":[{"required":["correlation_id"]},{"required":["externalId"]}],"properties":{"correlation_id":{"type":"string","nullable":true,"description":"An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.\n","maxLength":100,"default":"{{rule.id}}:{{alert.id}}"},"externalId":{"type":"string","nullable":true,"description":"The unique identifier (`incidentId`) for the incident in ServiceNow."}}}}}}},"run_createalert":{"title":"The createAlert subaction","type":"object","required":["subAction","subActionParams"],"description":"The `createAlert` subaction for Opsgenie and TheHive connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["createAlert"]},"subActionParams":{"type":"object","properties":{"actions":{"type":"array","description":"The custom actions available to the alert in Opsgenie connectors.","items":{"type":"string"}},"alias":{"type":"string","description":"The unique identifier used for alert deduplication in Opsgenie."},"description":{"type":"string","description":"A description that provides detailed information about the alert."},"details":{"type":"object","description":"The custom properties of the alert in Opsgenie connectors.","additionalProperties":true,"example":{"key1":"value1","key2":"value2"}},"entity":{"type":"string","description":"The domain of the alert in Opsgenie connectors. For example, the application or server name."},"message":{"type":"string","description":"The alert message in Opsgenie connectors."},"note":{"type":"string","description":"Additional information for the alert in Opsgenie connectors."},"priority":{"type":"string","description":"The priority level for the alert in Opsgenie connectors.","enum":["P1","P2","P3","P4","P5"]},"responders":{"type":"array","description":"The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"The identifier for the entity."},"name":{"type":"string","description":"The name of the entity."},"type":{"type":"string","description":"The type of responders, in this case `escalation`.","enum":["escalation","schedule","team","user"]},"username":{"type":"string","description":"A valid email address for the user."}}}},"severity":{"type":"integer","minimum":1,"maximum":4,"description":"The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).\n"},"source":{"type":"string","description":"The display name for the source of the alert in Opsgenie and TheHive connectors."},"sourceRef":{"type":"string","description":"A source reference for the alert in TheHive connectors."},"tags":{"type":"array","description":"The tags for the alert in Opsgenie and TheHive connectors.","items":{"type":"string"}},"title":{"type":"string","description":"A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base.\n"},"tlp":{"type":"integer","minimum":0,"maximum":4,"default":2,"description":"The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).\n"},"type":{"type":"string","description":"The type of alert in TheHive connectors."},"user":{"type":"string","description":"The display name for the owner."},"visibleTo":{"type":"array","description":"The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required.","items":{"type":"object","required":["type"],"properties":{"id":{"type":"string","description":"The identifier for the entity."},"name":{"type":"string","description":"The name of the entity."},"type":{"type":"string","description":"Valid values are `team` and `user`.","enum":["team","user"]},"username":{"type":"string","description":"The user name. This property is required only when the `type` is `user`."}}}}}}}},"run_fieldsbyissuetype":{"title":"The fieldsByIssueType subaction","type":"object","required":["subAction","subActionParams"],"description":"The `fieldsByIssueType` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["fieldsByIssueType"]},"subActionParams":{"type":"object","required":["id"],"properties":{"id":{"type":"string","description":"The Jira issue type identifier.","example":10024}}}}},"run_getagentdetails":{"title":"The getAgentDetails subaction","type":"object","required":["subAction","subActionParams"],"description":"The `getAgentDetails` subaction for CrowdStrike connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getAgentDetails"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","required":["ids"],"properties":{"ids":{"type":"array","description":"An array of CrowdStrike agent identifiers.","items":{"type":"string"}}}}}},"run_getagents":{"title":"The getAgents subaction","type":"object","required":["subAction"],"description":"The `getAgents` subaction for SentinelOne connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getAgents"]}}},"run_getchoices":{"title":"The getChoices subaction","type":"object","required":["subAction","subActionParams"],"description":"The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getChoices"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","required":["fields"],"properties":{"fields":{"type":"array","description":"An array of fields.","items":{"type":"string"}}}}}},"run_getfields":{"title":"The getFields subaction","type":"object","required":["subAction"],"description":"The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getFields"]}}},"run_getincident":{"title":"The getIncident subaction","type":"object","description":"The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getIncident"]},"subActionParams":{"type":"object","required":["externalId"],"properties":{"externalId":{"type":"string","description":"The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.","example":71778}}}}},"run_issue":{"title":"The issue subaction","type":"object","required":["subAction"],"description":"The `issue` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issue"]},"subActionParams":{"type":"object","required":["id"],"properties":{"id":{"type":"string","description":"The Jira issue identifier.","example":71778}}}}},"run_issues":{"title":"The issues subaction","type":"object","required":["subAction","subActionParams"],"description":"The `issues` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issues"]},"subActionParams":{"type":"object","required":["title"],"properties":{"title":{"type":"string","description":"The title of the Jira issue."}}}}},"run_issuetypes":{"title":"The issueTypes subaction","type":"object","required":["subAction"],"description":"The `issueTypes` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issueTypes"]}}},"run_postmessage":{"title":"The postMessage subaction","type":"object","description":"Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`.\n","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["postMessage"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"channelIds":{"type":"array","maxItems":1,"description":"The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration.\n","items":{"type":"string"}},"channels":{"type":"array","deprecated":true,"description":"The name of a channel that your Slack app has access to.\n","maxItems":1,"items":{"type":"string"}},"text":{"type":"string","description":"The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.\n","minLength":1}}}}},"run_pushtoservice":{"title":"The pushToService subaction","type":"object","required":["subAction","subActionParams"],"description":"The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["pushToService"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"comments":{"type":"array","description":"Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive.","items":{"type":"object","properties":{"comment":{"type":"string","description":"A comment related to the incident. For example, describe how to troubleshoot the issue."},"commentId":{"type":"integer","description":"A unique identifier for the comment."}}}},"incident":{"type":"object","description":"Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident.","properties":{"additional_fields":{"type":"string","nullable":true,"maxLength":20,"description":"Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format.\n"},"alertId":{"type":"string","description":"The alert identifier for Swimlane connectors."},"caseId":{"type":"string","description":"The case identifier for the incident for Swimlane connectors."},"caseName":{"type":"string","description":"The case name for the incident for Swimlane connectors."},"category":{"type":"string","description":"The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors."},"correlation_display":{"type":"string","description":"A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors."},"correlation_id":{"type":"string","description":"The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.\n"},"description":{"type":"string","description":"The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors."},"dest_ip":{"description":"A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.\n","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"externalId":{"type":"string","description":"The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.\n"},"id":{"type":"string","description":"The external case identifier for Webhook - Case Management connectors."},"impact":{"type":"string","description":"The impact of the incident for ServiceNow ITSM connectors."},"issueType":{"type":"integer","description":"The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`."},"labels":{"type":"array","items":{"type":"string"},"description":"The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.\n"},"malware_hash":{"description":"A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"malware_url":{"type":"string","description":"A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"otherFields":{"type":"object","additionalProperties":true,"maxProperties":20,"description":"Custom field identifiers and their values for Jira connectors.\n"},"parent":{"type":"string","description":"The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues."},"priority":{"type":"string","description":"The priority of the incident in Jira and ServiceNow SecOps connectors."},"ruleName":{"type":"string","description":"The rule name for Swimlane connectors."},"severity":{"type":"integer","description":"The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).\n"},"short_description":{"type":"string","description":"A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.\n"},"source_ip":{"description":"A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"status":{"type":"string","description":"The status of the incident for Webhook - Case Management connectors."},"subcategory":{"type":"string","description":"The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors."},"summary":{"type":"string","description":"A summary of the incident for Jira connectors."},"tags":{"type":"array","items":{"type":"string"},"description":"A list of tags for TheHive and Webhook - Case Management connectors."},"title":{"type":"string","description":"A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.\n"},"tlp":{"type":"integer","minimum":0,"maximum":4,"default":2,"description":"The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).\n"},"urgency":{"type":"string","description":"The urgency of the incident for ServiceNow ITSM connectors."}}}}}}},"run_validchannelid":{"title":"The validChannelId subaction","type":"object","description":"Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`.\n","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["validChannelId"]},"subActionParams":{"type":"object","required":["channelId"],"properties":{"channelId":{"type":"string","description":"The Slack channel identifier.","example":"C123ABC456"}}}}},"params_property_apm_anomaly":{"title":"APM anomaly","description":"The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.rules.anomaly`.\n","type":"object","required":["windowSize","windowUnit","environment","anomalySeverityType"],"properties":{"serviceName":{"type":"string","description":"Filter the rule to apply to a specific service name."},"transactionType":{"type":"string","description":"Filter the rule to apply to a specific transaction type."},"windowSize":{"type":"number","example":6,"description":"The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n"},"windowUnit":{"type":"string","description":"The type of units for the time window. For example: minutes, hours, or days.\n","enum":["m","h","d"]},"environment":{"type":"string","description":"Filter the rule to apply to a specific environment."},"anomalySeverityType":{"type":"string","description":"The severity of anomalies that will generate alerts: critical, major, minor, or warning.\n","enum":["critical","major","minor","warning"]}}},"params_property_apm_error_count":{"title":"APM error count","description":"The parameters for the APM error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`.\n","type":"object","required":["windowSize","windowUnit","threshold","environment"],"properties":{"serviceName":{"type":"string","description":"Filter the errors coming from your application to apply the rule to a specific service."},"windowSize":{"type":"number","description":"The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n","example":6},"windowUnit":{"type":"string","description":"The type of units for the time window: minutes, hours, or days.\n","enum":["m","h","d"]},"environment":{"type":"string","description":"Filter the errors coming from your application to apply the rule to a specific environment."},"threshold":{"type":"number","description":"The error count threshold."},"groupBy":{"type":"array","default":["service.name","service.environment"],"uniqueItems":true,"items":{"type":"string","enum":["service.name","service.environment","transaction.name","error.grouping_key"]},"description":"Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.\n"},"errorGroupingKey":{"type":"string","description":"Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.\n"}}},"params_property_apm_transaction_duration":{"title":"APM transaction duration","description":"The parameters for the APM transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`.\n","type":"object","required":["windowSize","windowUnit","threshold","environment","aggregationType"],"properties":{"serviceName":{"type":"string","description":"Filter the rule to apply to a specific service."},"transactionType":{"type":"string","description":"Filter the rule to apply to a specific transaction type."},"transactionName":{"type":"string","description":"Filter the rule to apply to a specific transaction name."},"windowSize":{"type":"number","description":"The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n","example":6},"windowUnit":{"type":"string","description":"The type of units for the time window. For example: minutes, hours, or days.\n","enum":["m","h","d"]},"environment":{"type":"string","description":"Filter the rule to apply to a specific environment."},"threshold":{"type":"number","description":"The latency threshold value."},"groupBy":{"type":"array","default":["service.name","service.environment","transaction.type"],"uniqueItems":true,"items":{"type":"string","enum":["service.name","service.environment","transaction.type","transaction.name"]},"description":"Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.\n"},"aggregationType":{"type":"string","enum":["avg","95th","99th"],"description":"The type of aggregation to perform."}}},"params_property_apm_transaction_error_rate":{"title":"APM transaction error rate","description":"The parameters for the APM transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`.\n","type":"object","required":["windowSize","windowUnit","threshold","environment"],"properties":{"serviceName":{"type":"string","description":"The service name from APM"},"transactionType":{"type":"string","description":"The transaction type from APM"},"transactionName":{"type":"string","description":"The transaction name from APM"},"windowSize":{"type":"number","description":"The window size","example":6},"windowUnit":{"type":"string","description":"The window size unit","enum":["m","h","d"]},"environment":{"type":"string","description":"The environment from APM"},"threshold":{"type":"number","description":"The error rate threshold value"},"groupBy":{"type":"array","default":["service.name","service.environment","transaction.type"],"uniqueItems":true,"items":{"type":"string","enum":["service.name","service.environment","transaction.type","transaction.name"]}}}},"aggfield":{"description":"The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.\n","type":"string"},"aggtype":{"description":"The type of aggregation to perform.","type":"string","enum":["avg","count","max","min","sum"],"default":"count"},"excludehitsfrompreviousrun":{"description":"Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.\n","type":"boolean"},"groupby":{"description":"Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.\n","type":"string","enum":["all","top"],"default":"all"},"size":{"description":"The number of documents to pass to the configured actions when the threshold condition is met.\n","type":"integer"},"termfield":{"description":"The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.\n","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"},"maxItems":4}]},"termsize":{"description":"This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.\n","type":"integer"},"threshold":{"description":"The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.\n","type":"array","items":{"type":"integer","example":4000}},"thresholdcomparator":{"description":"The comparison function for the threshold. For example, \"is above\", \"is above or equals\", \"is below\", \"is below or equals\", \"is between\", and \"is not between\".","type":"string","enum":["\u003e","\u003e=","\u003c","\u003c=","between","notBetween"],"example":"\u003e"},"timefield":{"description":"The field that is used to calculate the time window.","type":"string"},"timewindowsize":{"description":"The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n","type":"integer","example":5},"timewindowunit":{"description":"The type of units for the time window: seconds, minutes, hours, or days.\n","type":"string","enum":["s","m","h","d"],"example":"m"},"params_es_query_dsl_rule":{"title":"Elasticsearch DSL query rule params","description":"An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.\n","type":"object","required":["esQuery","index","threshold","thresholdComparator","timeField","timeWindowSize","timeWindowUnit"],"properties":{"aggField":{"$ref":"#/components/schemas/aggfield"},"aggType":{"$ref":"#/components/schemas/aggtype"},"esQuery":{"description":"The query definition, which uses Elasticsearch Query DSL.","type":"string"},"excludeHitsFromPreviousRun":{"$ref":"#/components/schemas/excludehitsfrompreviousrun"},"groupBy":{"$ref":"#/components/schemas/groupby"},"index":{"description":"The indices to query.","oneOf":[{"type":"array","items":{"type":"string"}},{"type":"string"}]},"searchType":{"description":"The type of query, in this case a query that uses Elasticsearch Query DSL.","type":"string","enum":["esQuery"],"default":"esQuery","example":"esQuery"},"size":{"$ref":"#/components/schemas/size"},"termField":{"$ref":"#/components/schemas/termfield"},"termSize":{"$ref":"#/components/schemas/termsize"},"threshold":{"$ref":"#/components/schemas/threshold"},"thresholdComparator":{"$ref":"#/components/schemas/thresholdcomparator"},"timeField":{"$ref":"#/components/schemas/timefield"},"timeWindowSize":{"$ref":"#/components/schemas/timewindowsize"},"timeWindowUnit":{"$ref":"#/components/schemas/timewindowunit"}}},"params_es_query_esql_rule":{"title":"Elasticsearch ES|QL query rule params","description":"An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.\n","type":"object","required":["esqlQuery","searchType","size","threshold","thresholdComparator","timeWindowSize","timeWindowUnit"],"properties":{"aggField":{"$ref":"#/components/schemas/aggfield"},"aggType":{"$ref":"#/components/schemas/aggtype"},"esqlQuery":{"type":"object","required":["esql"],"properties":{"esql":{"description":"The query definition, which uses Elasticsearch Query Language.","type":"string"}}},"excludeHitsFromPreviousRun":{"$ref":"#/components/schemas/excludehitsfrompreviousrun"},"groupBy":{"$ref":"#/components/schemas/groupby"},"searchType":{"description":"The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).","type":"string","enum":["esqlQuery"],"example":"esqlQuery"},"size":{"type":"integer","description":"When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior.\n","example":0},"termSize":{"$ref":"#/components/schemas/termsize"},"threshold":{"type":"array","items":{"type":"integer","minimum":0,"maximum":0},"description":"The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero.\n"},"thresholdComparator":{"type":"string","description":"The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to \"\u003e\". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results.\n","enum":["\u003e"],"example":"\u003e"},"timeField":{"$ref":"#/components/schemas/timefield"},"timeWindowSize":{"$ref":"#/components/schemas/timewindowsize"},"timeWindowUnit":{"$ref":"#/components/schemas/timewindowunit"}}},"filter":{"type":"object","description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","properties":{"meta":{"type":"object","properties":{"alias":{"type":"string","nullable":true},"controlledBy":{"type":"string"},"disabled":{"type":"boolean"},"field":{"type":"string"},"group":{"type":"string"},"index":{"type":"string"},"isMultiIndex":{"type":"boolean"},"key":{"type":"string"},"negate":{"type":"boolean"},"params":{"type":"object"},"type":{"type":"string"},"value":{"type":"string"}}},"query":{"type":"object"},"$state":{"type":"object"}}},"params_es_query_kql_rule":{"title":"Elasticsearch KQL query rule params","description":"An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.\n","type":"object","required":["searchType","size","threshold","thresholdComparator","timeWindowSize","timeWindowUnit"],"properties":{"aggField":{"$ref":"#/components/schemas/aggfield"},"aggType":{"$ref":"#/components/schemas/aggtype"},"excludeHitsFromPreviousRun":{"$ref":"#/components/schemas/excludehitsfrompreviousrun"},"groupBy":{"$ref":"#/components/schemas/groupby"},"searchConfiguration":{"description":"The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.","type":"object","properties":{"filter":{"type":"array","items":{"$ref":"#/components/schemas/filter"}},"index":{"description":"The indices to query.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"query":{"type":"object","properties":{"language":{"type":"string","example":"kuery"},"query":{"type":"string"}}}}},"searchType":{"description":"The type of query, in this case a text-based query that uses KQL or Lucene.","type":"string","enum":["searchSource"],"example":"searchSource"},"size":{"$ref":"#/components/schemas/size"},"termField":{"$ref":"#/components/schemas/termfield"},"termSize":{"$ref":"#/components/schemas/termsize"},"threshold":{"$ref":"#/components/schemas/threshold"},"thresholdComparator":{"$ref":"#/components/schemas/thresholdcomparator"},"timeField":{"$ref":"#/components/schemas/timefield"},"timeWindowSize":{"$ref":"#/components/schemas/timewindowsize"},"timeWindowUnit":{"$ref":"#/components/schemas/timewindowunit"}}},"params_index_threshold_rule":{"title":"Index threshold rule params","description":"An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`.","type":"object","required":["index","threshold","thresholdComparator","timeField","timeWindowSize","timeWindowUnit"],"properties":{"aggField":{"$ref":"#/components/schemas/aggfield"},"aggType":{"$ref":"#/components/schemas/aggtype"},"filterKuery":{"description":"A KQL expression thats limits the scope of alerts.","type":"string"},"groupBy":{"$ref":"#/components/schemas/groupby"},"index":{"description":"The indices to query.","type":"array","items":{"type":"string"}},"termField":{"$ref":"#/components/schemas/termfield"},"termSize":{"$ref":"#/components/schemas/termsize"},"threshold":{"$ref":"#/components/schemas/threshold"},"thresholdComparator":{"$ref":"#/components/schemas/thresholdcomparator"},"timeField":{"$ref":"#/components/schemas/timefield"},"timeWindowSize":{"$ref":"#/components/schemas/timewindowsize"},"timeWindowUnit":{"$ref":"#/components/schemas/timewindowunit"}}},"params_property_infra_inventory":{"title":"Inventory","description":"The parameters for the infrastructure inventory rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`.\n","type":"object","properties":{"criteria":{"type":"array","items":{"type":"object","properties":{"metric":{"type":"string","enum":["count","cpu","diskLatency","load","memory","memoryTotal","tx","rx","logRate","diskIOReadBytes","diskIOWriteBytes","s3TotalRequests","s3NumberOfObjects","s3BucketSize","s3DownloadBytes","s3UploadBytes","rdsConnections","rdsQueriesExecuted","rdsActiveTransactions","rdsLatency","sqsMessagesVisible","sqsMessagesDelayed","sqsMessagesSent","sqsMessagesEmpty","sqsOldestMessage","custom"]},"timeSize":{"type":"number"},"timeUnit":{"type":"string","enum":["s","m","h","d"]},"sourceId":{"type":"string"},"threshold":{"type":"array","items":{"type":"number"}},"comparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"customMetric":{"type":"object","properties":{"type":{"type":"string","enum":["custom"]},"field":{"type":"string"},"aggregation":{"type":"string","enum":["avg","max","min","rate"]},"id":{"type":"string"},"label":{"type":"string"}}},"warningThreshold":{"type":"array","items":{"type":"number"}},"warningComparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]}}}},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"nodeType":{"type":"string","enum":["host","pod","container","awsEC2","awsS3","awsSQS","awsRDS"]},"sourceId":{"type":"string"},"alertOnNoData":{"type":"boolean"}}},"params_property_log_threshold":{"oneOf":[{"title":"Log threshold count","description":"The parameters for a log threshold rule that counts the number of log entries that match the criteria. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`.\n","type":"object","required":["count","timeSize","timeUnit","logView"],"properties":{"criteria":{"type":"array","items":{"type":"object","properties":{"field":{"type":"string","example":"my.field"},"comparator":{"type":"string","enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"]},"value":{"oneOf":[{"type":"number","example":42},{"type":"string","example":"value"}]}}}},"count":{"type":"object","properties":{"comparator":{"type":"string","enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"]},"value":{"type":"number","example":100}}},"timeSize":{"type":"number","example":6},"timeUnit":{"type":"string","enum":["s","m","h","d"]},"logView":{"type":"object","properties":{"logViewId":{"type":"string"},"type":{"type":"string","enum":["log-view-reference"],"example":"log-view-reference"}}},"groupBy":{"type":"array","items":{"type":"string"}}}},{"title":"Log threshold ratio","description":"The parameters for a log threshold rule that calculates the ratio of log entries that match the criteria. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`.\n","type":"object","required":["count","timeSize","timeUnit","logView"],"properties":{"criteria":{"type":"array","items":{"minItems":2,"maxItems":2,"type":"array","items":{"type":"object","properties":{"field":{"type":"string","example":"my.field"},"comparator":{"type":"string","enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"]},"value":{"oneOf":[{"type":"number","example":42},{"type":"string","example":"value"}]}}}}},"count":{"type":"object","properties":{"comparator":{"type":"string","enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"]},"value":{"type":"number","example":100}}},"timeSize":{"type":"number","example":6},"timeUnit":{"type":"string","enum":["s","m","h","d"]},"logView":{"type":"object","properties":{"logViewId":{"type":"string"},"type":{"type":"string","enum":["log-view-reference"],"example":"log-view-reference"}}},"groupBy":{"type":"array","items":{"type":"string"}}}}]},"params_property_infra_metric_threshold":{"title":"Metric threshold","description":"The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`.\n","type":"object","properties":{"criteria":{"type":"array","items":{"oneOf":[{"title":"non count criterion","type":"object","properties":{"threshold":{"type":"array","items":{"type":"number"},"description":"The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.\n"},"comparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"],"description":"The comparison function for the threshold. For example, \"is above\", \"is above or equals\", \"is below\", \"is below or equals\", \"is between\", and \"outside\".\n"},"timeUnit":{"type":"string","enum":["s","m","h","d"],"description":"The type of units for the time window: seconds, minutes, hours, or days.\n"},"timeSize":{"type":"number","description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n"},"warningThreshold":{"type":"array","items":{"type":"number"},"description":"The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.\n"},"warningComparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"metric":{"type":"string"},"aggType":{"type":"string","enum":["avg","max","min","cardinality","rate","count","sum","p95","p99","custom"]}}},{"title":"count criterion","type":"object","properties":{"threshold":{"type":"array","items":{"type":"number"}},"comparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"timeUnit":{"type":"string","enum":["s","m","h","d"],"description":"The type of units for the time window: seconds, minutes, hours, or days.\n"},"timeSize":{"type":"number","description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n"},"warningThreshold":{"type":"array","items":{"type":"number"}},"warningComparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"aggType":{"type":"string","enum":["count"]}}},{"title":"custom criterion","type":"object","properties":{"threshold":{"type":"array","items":{"type":"number"}},"comparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"timeUnit":{"type":"string","enum":["s","m","h","d"],"description":"The type of units for the time window: seconds, minutes, hours, or days.\n"},"timeSize":{"type":"number","description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n"},"warningThreshold":{"type":"array","items":{"type":"number"}},"warningComparator":{"type":"string","enum":["\u003c","\u003c=","\u003e","\u003e=","between","outside"]},"aggType":{"type":"string","enum":["custom"]},"customMetric":{"type":"array","items":{"oneOf":[{"type":"object","properties":{"name":{"type":"string"},"aggType":{"type":"string","enum":["avg","sum","max","min","cardinality"],"description":"An aggregation to gather data for the rule. For example, find the average, highest or lowest value of a numeric field. Or use a cardinality aggregation to find the approximate number of unique values in a field. \n"},"field":{"type":"string"}}},{"type":"object","properties":{"name":{"type":"string"},"aggType":{"type":"string","enum":["count"]},"filter":{"type":"string"}}}]}},"equation":{"type":"string"},"label":{"type":"string"}}}]}},"groupBy":{"oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}],"description":"Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host.\nIMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.\n"},"filterQuery":{"type":"string","description":"A query that limits the scope of the rule. The rule evaluates only metric data that matches the query.\n"},"sourceId":{"type":"string"},"alertOnNoData":{"type":"boolean","description":"If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails."},"alertOnGroupDisappear":{"type":"boolean","description":"If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically.\n"}}},"params_property_slo_burn_rate":{"title":"SLO burn rate","description":"The parameters for the SLO burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`.\n","type":"object","properties":{"sloId":{"description":"The SLO identifier used by the rule","type":"string","example":"8853df00-ae2e-11ed-90af-09bb6422b258"},"burnRateThreshold":{"description":"The burn rate threshold used to trigger the alert","type":"number","example":14.4},"maxBurnRateThreshold":{"description":"The maximum burn rate threshold value defined by the SLO error budget","type":"number","example":168},"longWindow":{"description":"The duration of the long window used to compute the burn rate","type":"object","properties":{"value":{"description":"The duration value","type":"number","example":6},"unit":{"description":"The duration unit","type":"string","example":"h"}}},"shortWindow":{"description":"The duration of the short window used to compute the burn rate","type":"object","properties":{"value":{"description":"The duration value","type":"number","example":30},"unit":{"description":"The duration unit","type":"string","example":"m"}}}}},"params_property_synthetics_uptime_tls":{"title":"Synthetics TLS certificate","description":"The parameters for the synthetics TLS certificate rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tls`.\n","type":"object","properties":{"search":{"type":"string"},"certExpirationThreshold":{"type":"number"},"certAgeThreshold":{"type":"number"}}},"params_property_synthetics_monitor_status":{"title":"Synthetics monitor status","description":"The parameters for the Synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`.\n","type":"object","required":["numTimes","shouldCheckStatus","shouldCheckAvailability"],"properties":{"availability":{"type":"object","properties":{"range":{"type":"number"},"rangeUnit":{"type":"string"},"threshold":{"type":"string"}}},"filters":{"oneOf":[{"type":"string"},{"type":"object","deprecated":true,"properties":{"monitor.type":{"type":"array","items":{"type":"string"}},"observer.geo.name":{"type":"array","items":{"type":"string"}},"tags":{"type":"array","items":{"type":"string"}},"url.port":{"type":"array","items":{"type":"string"}}}}]},"locations":{"deprecated":true,"type":"array","items":{"type":"string"}},"numTimes":{"type":"number"},"search":{"type":"string"},"shouldCheckStatus":{"type":"boolean"},"shouldCheckAvailability":{"type":"boolean"},"timerangeCount":{"type":"number"},"timerangeUnit":{"type":"string"},"timerange":{"deprecated":true,"type":"object","properties":{"from":{"type":"string"},"to":{"type":"string"}}},"version":{"type":"number"},"isAutoGenerated":{"type":"boolean"}}}},"securitySchemes":{"apiKeyAuth":{"description":"These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey`\n","in":"header","name":"Authorization","type":"apiKey"},"basicAuth":{"scheme":"basic","type":"http"}}},"x-topics":[{"title":"Kibana spaces","content":"Spaces enable you to organize your dashboards and other saved objects into meaningful categories.\nYou can use the default space or create your own spaces.\n\nTo run APIs in non-default spaces, you must add `s/{space_id}/` to the path.\nFor example:\n\n```bash\ncurl -X GET \"http://${KIBANA_URL}/s/marketing/api/data_views\" \\\n  -H \"Authorization: ApiKey ${API_KEY}\"\n```\n\nIf you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.\n\nTo learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces).\n"}]}