openapi: 3.0.3 info: contact: name: Kibana Team description: | The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - GET: Fetches the information. - PATCH: Applies partial modifications to the existing information. - POST: Adds new information. - PUT: Updates the existing information. - DELETE: Removes the information. You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: ``` GET kbn:/api/data_views ``` For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions This documentation is derived from the `9.4` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). This documentation contains work-in-progress information for future Elastic Stack releases. title: Kibana APIs version: '' x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 security: - apiKeyAuth: [] - basicAuth: [] tags: - name: agent builder description: | Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. **Elastic Agent Builder requires an Enterprise subscription.** externalDocs: description: Agent Builder docs url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access x-displayName: Agent Builder - name: alerting description: | Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts x-displayName: Alerting - description: | Adjust APM agent configuration without need to redeploy your application. name: APM agent configuration - description: | Configure APM agent keys to authorize requests from APM agents to the APM Server. name: APM agent keys - description: | Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. name: APM annotations - description: Create APM fleet server schema. name: APM server schema - description: | Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. name: APM sourcemaps - description: | Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. name: cases externalDocs: description: Cases documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases x-displayName: Cases - name: connectors description: | Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation url: https://www.elastic.co/docs/reference/kibana/connectors-kibana x-displayName: Connectors - name: Dashboards description: | > **Technical preview** — The Dashboards API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** externalDocs: description: Dashboards documentation url: https://www.elastic.co/docs/explore-analyze/dashboards x-displayName: Dashboards - name: Data streams description: | Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. x-displayName: Data streams - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. name: data views x-displayName: Data views - name: Elastic Agent actions description: | Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. x-displayName: Elastic Agent actions - name: Elastic Agent binary download sources description: | Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. x-displayName: Elastic Agent binary download sources - name: Elastic Agent policies description: | Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. x-displayName: Elastic Agent policies - name: Elastic Agent status description: | Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. x-displayName: Elastic Agent status - name: Elastic Agents description: | Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. x-displayName: Elastic Agents - name: Elastic Package Manager (EPM) description: | Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. x-displayName: Elastic Package Manager (EPM) - name: Fleet agentless policies - name: Fleet cloud connectors description: | Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. x-displayName: Fleet cloud connectors - name: Fleet enrollment API keys description: | Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. x-displayName: Fleet enrollment API keys - name: Fleet internals description: | Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. x-displayName: Fleet internals - name: Fleet outputs description: | Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. x-displayName: Fleet outputs - name: Fleet package policies description: | Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. x-displayName: Fleet package policies - name: Fleet proxies description: | Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. x-displayName: Fleet proxies - name: Fleet remote synced integrations description: | Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. externalDocs: description: Automatic integrations synchronization documentation url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization - name: Fleet Server hosts description: | Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. x-displayName: Fleet Server hosts - name: Fleet service tokens description: | Enables you to create tokens for Fleet service authentication and authorization. x-displayName: Fleet service tokens - name: Fleet uninstall tokens description: | Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. x-displayName: Fleet uninstall tokens - description: | Programmatically integrate with Logstash configuration management. > warn > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. externalDocs: description: Centralized pipeline management url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management name: logstash x-displayName: Logstash configuration management - name: maintenance-window description: | You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. externalDocs: description: Maintenance window documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows x-displayName: Maintenance windows - name: Message Signing Service description: | Enables you to rotate message signing key pairs for secure Fleet communication. x-displayName: Fleet Message Signing Service - description: | Enables you to synchronize machine learning saved objects. name: ml x-displayName: Machine learning - description: Interact with the Observability AI Assistant resources. externalDocs: description: Observability AI Assistant url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant name: observability_ai_assistant x-displayName: Observability AI Assistant - name: roles x-displayName: Roles description: Manage the roles that grant Elasticsearch and Kibana privileges. externalDocs: description: Kibana role management url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles - name: saved objects x-displayName: Saved objects description: | Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. To manage a specific type of saved object, use the corresponding APIs. For example, use: * [Data views](../group/endpoint-data-views) * [Spaces](../group/endpoint-spaces) * [Short URLs](../group/endpoint-short-url) Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API x-displayName: Security AI assistant - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. name: Security Attack discovery API x-displayName: Security Attack discovery - description: | Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. This API supports both key-based authentication and basic authentication. To use key-based authentication, create an API key, then specify the key in the header of your API calls. To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. In both cases, the API key is subsequently used for authorization when the rule runs. > warn > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. name: Security Detections API x-displayName: Security detections - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API x-displayName: Security Elastic Endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API x-displayName: Security endpoint management - description: | Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. name: Security Entity Analytics API x-displayName: Security entity analytics - name: Security entity store - description: | Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. Exceptions are made up of: * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. > info > You cannot use lists with endpoint rule exceptions. > info > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. ## Exceptions requirements Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). name: Security Exceptions API x-displayName: Security exceptions - description: | Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. Lists are made up of: * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: * `boolean` * `byte` * `date` * `date_nanos` * `date_range` * `double` * `double_range` * `float` * `float_range` * `half_float` * `integer` * `integer_range` * `ip` * `ip_range` * `keyword` * `long` * `long_range` * `short` * `text` * **List items**: The values used to determine whether the exception prevents an alert from being generated. All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: 1. `192.168.1.1` 2. `192.168.1.3` 3. `192.168.1.18` 4. `192.168.1.12` 5. `192.168.1.7` To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. > info > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. ## Lists requirements Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. name: Security Lists API x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API x-displayName: Security Osquery - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API x-displayName: Security timeline - description: Manage Kibana short URLs. name: short url x-displayName: Short URLs - description: SLO APIs enable you to define, manage and track service-level objectives name: slo x-displayName: Service level objectives - name: spaces x-displayName: Spaces description: Manage your Kibana spaces. externalDocs: url: https://www.elastic.co/docs/deploy-manage/manage-spaces description: Space overview - name: streams description: | Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: * **Wired** streams are managed by Kibana. They route documents to child streams based on field conditions and support custom field mappings and processing steps. * **Classic** streams map to existing Elasticsearch data streams. You can add processing steps to classic streams without changing their underlying index template. * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate data from multiple streams into a single logical view without duplicating documents. x-displayName: Streams externalDocs: description: Streams documentation url: https://www.elastic.co/docs/solutions/observability/streams - name: synthetics x-displayName: Synthetics description: Synthetics APIs enable you to check the status of your services and applications. externalDocs: description: Synthetic monitoring url: https://www.elastic.co/docs/solutions/observability/synthetics - name: system x-displayName: System description: | Get information about the system status, resource usage, features, and installed plugins. - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. externalDocs: description: Task manager url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management name: task manager x-displayName: Task manager - description: | The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release. > warn > This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL: > * Self-managed URL pattern: `https://localhost:5601` > * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` name: upgrade x-displayName: Upgrade assistant - description: Uptime APIs enable you to view and update uptime monitoring settings. externalDocs: description: Uptime monitoring url: https://www.elastic.co/docs/solutions/observability/uptime name: uptime x-displayName: Uptime - name: user session x-displayName: User session management description: | Enables you to invalidate user sessions for security and session management purposes. - name: Visualizations description: | > **Technical preview** — The Visualizations API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** externalDocs: description: Visualizations documentation url: https://www.elastic.co/docs/explore-analyze/visualize/lens x-displayName: Visualizations - name: workflows description: | Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. externalDocs: description: Workflows documentation url: https://www.elastic.co/docs/explore-analyze/workflows x-displayName: Workflows paths: /api/actions/connector_types: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector_types
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You do not need any Kibana feature privileges to run this API. operationId: get-actions-connector-types parameters: - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). in: query name: feature_id required: false schema: type: string responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: allow_multiple_system_actions: description: Indicates whether multiple instances of the same system action connector can be used in a single rule. type: boolean enabled: description: Indicates whether the connector is enabled. type: boolean enabled_in_config: description: Indicates whether the connector is enabled in the Kibana configuration. type: boolean enabled_in_license: description: Indicates whether the connector is enabled through the license. type: boolean id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_system_action_type: description: Indicates whether the action is a system action. type: boolean minimum_license_required: description: The minimum license required to enable the connector. enum: - basic - standard - gold - platinum - enterprise - trial type: string name: description: The name of the connector type. type: string source: description: The source of the connector type definition. enum: - yml - spec - stack type: string sub_feature: description: Indicates the sub-feature type the connector is grouped under. enum: - endpointSecurity type: string supported_feature_ids: description: The list of supported features items: type: string type: array required: - id - name - enabled - enabled_in_config - enabled_in_license - minimum_license_required - supported_feature_ids - is_system_action_type - is_deprecated - source type: array examples: getConnectorTypesServerlessResponse: $ref: '#/components/examples/get_connector_types_generativeai_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get connector types tags: - connectors x-metaTags: - content: Kibana name: product_name /api/actions/connector/_oauth_callback: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/_oauth_callback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. operationId: get-actions-connector-oauth-callback parameters: - description: The authorization code returned by the OAuth provider. in: query name: code required: false schema: type: string - description: The state parameter for CSRF protection. in: query name: state required: false schema: type: string - description: Error code if the authorization failed. in: query name: error required: false schema: type: string - description: Human-readable error description. in: query name: error_description required: false schema: type: string - description: Session state from the OAuth provider (e.g., Microsoft). in: query name: session_state required: false schema: type: string responses: '200': description: Returns an HTML callback page. '302': description: Redirects to the return URL with authorization result query parameters. '401': description: User is not authenticated. summary: Handle OAuth callback tags: - connectors x-state: Added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/actions/connector/_oauth_callback_script: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/_oauth_callback_script
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns the OAuth callback script operationId: get-actions-connector-oauth-callback-script parameters: [] responses: '200': description: Returns the OAuth callback script summary: '' tags: [] x-state: Added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/actions/connector/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. WARNING: When you delete a connector, it cannot be recovered. operationId: delete-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Delete a connector tags: - connectors x-metaTags: - content: Kibana name: product_name get: operationId: get-actions-connector-id parameters: - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: getConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get connector information tags: - connectors x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: post-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: maxLength: 36 minLength: 1 type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: connector_type_id: description: The type of connector. type: string name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/genai_openai_other_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/defender_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name - connector_type_id examples: createEmailConnectorRequest: $ref: '#/components/examples/create_email_connector_request' createIndexConnectorRequest: $ref: '#/components/examples/create_index_connector_request' createWebhookConnectorRequest: $ref: '#/components/examples/create_webhook_connector_request' createXmattersConnectorRequest: $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: createEmailConnectorResponse: $ref: '#/components/examples/create_email_connector_response' createIndexConnectorResponse: $ref: '#/components/examples/create_index_connector_response' createWebhookConnectorResponse: $ref: '#/components/examples/create_webhook_connector_response' createXmattersConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Create a connector tags: - connectors x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: put-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/defender_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name examples: updateIndexConnectorRequest: $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Update a connector tags: - connectors x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/actions/connector/{id}/_execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/actions/connector/{id}/_execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. operationId: post-actions-connector-id-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: params: additionalProperties: {} oneOf: - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - $ref: '#/components/schemas/run_documents' - $ref: '#/components/schemas/run_message_email' - $ref: '#/components/schemas/run_message_serverlog' - $ref: '#/components/schemas/run_message_slack' - $ref: '#/components/schemas/run_trigger_pagerduty' - $ref: '#/components/schemas/run_addevent' - $ref: '#/components/schemas/run_closealert' - $ref: '#/components/schemas/run_closeincident' - $ref: '#/components/schemas/run_createalert' - $ref: '#/components/schemas/run_fieldsbyissuetype' - $ref: '#/components/schemas/run_getagentdetails' - $ref: '#/components/schemas/run_getagents' - $ref: '#/components/schemas/run_getchoices' - $ref: '#/components/schemas/run_getfields' - $ref: '#/components/schemas/run_getincident' - $ref: '#/components/schemas/run_issue' - $ref: '#/components/schemas/run_issues' - $ref: '#/components/schemas/run_issuetypes' - $ref: '#/components/schemas/run_postmessage' - $ref: '#/components/schemas/run_pushtoservice' - $ref: '#/components/schemas/run_validchannelid' required: - params examples: runIndexConnectorRequest: $ref: '#/components/examples/run_index_connector_request' runJiraConnectorRequest: $ref: '#/components/examples/run_jira_connector_request' runServerLogConnectorRequest: $ref: '#/components/examples/run_servicenow_itom_connector_request' runSlackConnectorRequest: $ref: '#/components/examples/run_slack_api_connector_request' runSwimlaneConnectorRequest: $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: runIndexConnectorResponse: $ref: '#/components/examples/run_index_connector_response' runJiraConnectorResponse: $ref: '#/components/examples/run_jira_connector_response' runServerLogConnectorResponse: $ref: '#/components/examples/run_server_log_connector_response' runServiceNowITOMConnectorResponse: $ref: '#/components/examples/run_servicenow_itom_connector_response' runSlackConnectorResponse: $ref: '#/components/examples/run_slack_api_connector_response' runSwimlaneConnectorResponse: $ref: '#/components/examples/run_swimlane_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Run a connector tags: - connectors x-metaTags: - content: Kibana name: product_name /api/actions/connectors: get: operationId: get-actions-connectors parameters: [] responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string referenced_by_count: description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. type: number required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated - referenced_by_count type: array examples: getConnectorsResponse: $ref: '#/components/examples/get_connectors_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get all connectors tags: - connectors x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/agent_builder/a2a/{agentId}: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/a2a/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. > warn > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-a2a-agentid parameters: - description: The unique identifier of the agent to send the A2A task to. in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: a2aTaskRequestExample: description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' value: id: task-123 jsonrpc: '2.0' method: complete params: messages: - content: Hello from A2A protocol role: user schema: {} responses: '200': content: application/json: examples: a2aTaskResponseExample: description: Example response from A2A Task Endpoint with results of task execution value: id: task-123 jsonrpc: '2.0' result: conversation_id: conv-456 response: message: Hello! How can I help you today? type: response description: Indicates a successful response summary: Send A2A task tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/a2a/{agentId}.json: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-a2a-agentid.json parameters: - description: The unique identifier of the agent to get A2A metadata for. in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: a2aAgentCardResponseExample: description: Example response card of Elastic AI Agent value: capabilities: pushNotifications: false stateTransitionHistory: false streaming: false defaultInputModes: - text/plain defaultOutputModes: - text/plain description: Elastic AI Agent name: Elastic AI Agent protocolVersion: 0.3.0 provider: organization: Elastic url: https://elastic.co securitySchemes: authorization: description: Authentication token in: header name: Authorization type: apiKey skills: - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. examples: [] id: platform.core.search inputModes: - text/plain - application/json name: platform.core.search outputModes: - text/plain - application/json tags: - tool supportsAuthenticatedExtendedCard: false url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent version: 0.1.0 description: Indicates a successful response summary: Get A2A agent card tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/a2a/{agentId}.json x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/agents: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-agents parameters: [] responses: '200': content: application/json: examples: listAgentsResponseExample: description: Example response that returns one built-in Elastic agent and one created by the user value: results: - configuration: tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Elastic AI Agent id: elastic-ai-agent name: Elastic AI Agent type: chat - avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: List agents tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/agents" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/agents x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: post-agent-builder-agents parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createAgentRequestExample: description: Example request for creating a custom agent with special prompt and tools value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper schema: additionalProperties: false type: object properties: avatar_color: description: Optional hex color code for the agent avatar. type: string avatar_symbol: description: Optional symbol/initials for the agent avatar. type: string configuration: additionalProperties: false description: Configuration settings for the agent. type: object properties: enable_elastic_capabilities: description: When true, enables built-in Elastic capabilities for the agent. type: boolean instructions: description: Optional system instructions that define the agent behavior. type: string plugin_ids: description: Array of plugin IDs to assign to the agent. items: description: Plugin ID to assign to the agent. type: string maxItems: 100 type: array skill_ids: description: Array of skill IDs to be available to the agent. items: description: Skill ID to be available to the agent. type: string maxItems: 100 type: array tools: items: additionalProperties: false description: Tool selection configuration for the agent. type: object properties: tool_ids: description: Array of tool IDs that the agent can use. items: description: Tool ID to be available to the agent. type: string type: array required: - tool_ids type: array workflow_ids: items: description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. type: string maxItems: 100 type: array required: - tools description: description: Description of what the agent does. type: string id: description: Unique identifier for the agent. type: string labels: description: Optional labels for categorizing and organizing agents. items: description: Label for categorizing the agent. type: string type: array name: description: Display name for the agent. type: string visibility: description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' enum: - public - shared - private type: string required: - id - name - description - configuration responses: '200': content: application/json: examples: createAgentResponseExample: description: Example response returning the definition of an agent created as a result of the request value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: Create an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/agents" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "id": "new-agent-id", "name": "Search Index Helper", "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", "labels": ["custom-indices", "department-search"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [ { "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] } ] } }' - lang: Console source: | POST kbn://api/agent_builder/agents { "id": "new-agent-id", "name": "Search Index Helper", "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", "labels": ["custom-indices", "department-search"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [ { "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] } ] } } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/agents/{agent_id}/consumption: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: post-agent-builder-agents-agent-id-consumption parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent. in: path name: agent_id required: true schema: type: string requestBody: content: application/json: examples: consumptionDefaultExample: description: Get consumption data for an agent with default pagination value: size: 25 sort_field: updated_at sort_order: desc consumptionFilteredExample: description: Get consumption data filtered by username with warnings value: has_warnings: true size: 10 sort_field: total_tokens sort_order: desc usernames: - elastic - admin schema: additionalProperties: false type: object properties: has_warnings: description: Filter to conversations with or without high-token warnings. type: boolean search: description: Free-text search filter on conversation title. type: string search_after: description: Cursor for pagination. Pass the search_after value from the previous response. items: {} maxItems: 10000 type: array size: default: 25 description: Number of results per page. maximum: 100 minimum: 1 type: number sort_field: default: updated_at description: Field to sort results by. enum: - updated_at - total_tokens - round_count type: string sort_order: default: desc description: Sort direction. enum: - asc - desc type: string usernames: description: Filter results to conversations by these usernames. items: type: string maxItems: 10000 type: array responses: '200': content: application/json: examples: consumptionResponseExample: description: Example response with per-conversation token usage data value: aggregations: total_with_warnings: 0 usernames: - elastic - admin results: - conversation_id: conv-abc123 created_at: '2025-03-01T10:00:00Z' llm_calls: 8 round_count: 5 title: Help me search my data token_usage: input_tokens: 15000 output_tokens: 3000 total_tokens: 18000 updated_at: '2025-03-01T10:15:00Z' user: id: uid-1 username: elastic warnings: [] - conversation_id: conv-def456 created_at: '2025-03-02T14:00:00Z' llm_calls: 20 round_count: 12 title: Analyze server logs token_usage: input_tokens: 250000 output_tokens: 8000 total_tokens: 258000 updated_at: '2025-03-02T14:30:00Z' user: id: uid-2 username: admin warnings: - input_tokens: 250000 round_id: round-7 type: high_input_tokens search_after: - 1709391000000 - '2025-03-02T14:30:00Z' total: 2 description: Indicates a successful response summary: Get agent consumption data tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 2023-10-31" \ -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' - lang: Console source: | POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/agents/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: delete-agent-builder-agents-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent to delete. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentResponseExample: description: Example response showing that deletion of the agent has been successful value: success: true description: Indicates a successful response summary: Delete an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/agents/{id} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-agents-id parameters: - description: The unique identifier of the agent to retrieve. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getAgentByIdResponseExample: description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: Get an agent by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/agents/{id} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: put-agent-builder-agents-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent to update. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: createAgentRequestExample: description: Example request for updating custom agent value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Updated description - Search for anything in "content-*" indices! id: created-agent-id labels: - custom-indices - department-search - elastic-employees name: Search Index Helper schema: additionalProperties: false type: object properties: avatar_color: description: Updated hex color code for the agent avatar. type: string avatar_symbol: description: Updated symbol/initials for the agent avatar. type: string configuration: additionalProperties: false description: Updated configuration settings for the agent. type: object properties: enable_elastic_capabilities: description: When true, enables built-in Elastic capabilities for the agent. type: boolean instructions: description: Updated system instructions that define the agent behavior. type: string plugin_ids: description: Array of plugin IDs to assign to the agent. items: description: Plugin ID to assign to the agent. type: string maxItems: 100 type: array skill_ids: description: Array of skill IDs to be available to the agent. items: description: Skill ID to be available to the agent. type: string maxItems: 100 type: array tools: items: additionalProperties: false description: Tool selection configuration for the agent. type: object properties: tool_ids: description: Array of tool IDs that the agent can use. items: description: Tool ID to be available to the agent. type: string type: array required: - tool_ids type: array workflow_ids: items: description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. type: string maxItems: 100 type: array description: description: Updated description of what the agent does. type: string labels: description: Updated labels for categorizing and organizing agents. items: description: Updated label for categorizing the agent. type: string type: array name: description: Updated display name for the agent. type: string visibility: description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' enum: - public - shared - private type: string responses: '200': content: application/json: examples: updateAgentResponseExample: description: Example response returning the agent definition with the changes applied from the request value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Updated description - Search for anything in "content-*" indices! id: created-agent-id labels: - custom-indices - department-search - elastic-employees name: Search Index Helper type: chat description: Indicates a successful response summary: Update an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "name": "Search Index Helper", "description": "Updated description - Search for anything in \"content-*\" indices!", "labels": ["custom-indices", "department-search", "elastic-employees"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [{ "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] }] } }' - lang: Console source: | PUT kbn://api/agent_builder/agents/{id} { "name": "Search Index Helper", "description": "Updated description - Search for anything in \"content-*\" indices!", "labels": ["custom-indices", "department-search", "elastic-employees"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [{ "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] }] } } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations parameters: - description: Optional agent ID to filter conversations by a specific agent. in: query name: agent_id required: false schema: type: string responses: '200': content: application/json: examples: listConversationsResponseExample: description: Example response containing the list of conversations with all agents value: results: - agent_id: elastic-ai-agent created_at: '2025-09-19T17:45:39.554Z' id: bcc176c5-38f6-40be-be0c-898e34fa1480 title: General Greeting updated_at: '2025-09-19T17:45:39.554Z' user: username: elastic description: Indicates a successful response summary: List conversations tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/conversations x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. operationId: delete-agent-builder-conversations-conversation-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation to delete. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: deleteConversationResponseExample: description: Example response showing that deletion of conversation has been successful value: success: true description: Indicates a successful response summary: Delete conversation by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/conversations/{conversation_id} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id parameters: - description: The unique identifier of the conversation to retrieve. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: getConversationByIdResponseExample: description: Example response containing the contents of a convesation with the chat agent value: agent_id: elastic-ai-agent created_at: '2025-09-19T17:45:39.554Z' id: bcc176c5-38f6-40be-be0c-898e34fa1480 rounds: - id: 170ec3b2-0f5a-4538-8b60-549572386d2a input: message: Hello, how are you? response: message: |- Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? steps: [] title: General Greeting updated_at: '2025-09-19T17:45:39.554Z' user: username: elastic description: Indicates a successful response summary: Get conversation by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/conversations/{conversation_id} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}/attachments: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: Whether to include deleted attachments in the list. in: query name: include_deleted required: false schema: type: boolean responses: '200': content: application/json: examples: listAttachmentsResponseExample: description: Example response containing active attachments for a conversation value: results: - active: true current_version: 2 description: My text file id: attachment-1 type: text versions: - content_hash: abc123 created_at: '2025-01-01T10:00:00.000Z' data: Initial content estimated_tokens: 3 version: 1 - content_hash: def456 created_at: '2025-01-01T11:00:00.000Z' data: Updated content estimated_tokens: 3 version: 2 - active: true current_version: 1 description: Configuration data id: attachment-2 type: json versions: - content_hash: ghi789 created_at: '2025-01-01T12:00:00.000Z' data: key: value nested: field: 123 estimated_tokens: 15 version: 1 total_token_estimate: 21 description: Indicates a successful response summary: List conversation attachments tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-conversations-conversation-id-attachments parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string requestBody: content: application/json: examples: createHiddenAttachmentExample: description: Example request for creating a hidden attachment value: data: Internal system data description: System context hidden: true type: text createJsonAttachmentExample: description: Example request for creating a JSON attachment with custom ID value: data: configuration: enabled: true threshold: 50 metadata: source: user_input description: Application settings id: custom-attachment-id type: json createTextAttachmentExample: description: Example request for creating a text attachment value: data: This is the content of my text attachment description: Meeting notes type: text schema: additionalProperties: false type: object properties: data: {} description: description: Human-readable description of the attachment. type: string hidden: description: Whether the attachment should be hidden from the user. type: boolean id: description: Optional custom ID for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. type: string type: description: The type of the attachment (e.g., text, esql, visualization). type: string required: - type - data responses: '200': content: application/json: examples: createAttachmentResponseExample: description: Example response returning the created attachment value: attachment: active: true current_version: 1 description: Meeting notes id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: This is the content of my text attachment estimated_tokens: 12 version: 1 description: Indicates a successful response summary: Create conversation attachment tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to delete. in: path name: attachment_id required: true schema: type: string - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query name: permanent required: false schema: type: boolean responses: '200': content: application/json: examples: permanentDeleteAttachmentResponseExample: description: Example response for permanent delete (cannot be restored) value: permanent: true success: true softDeleteAttachmentResponseExample: description: Example response for soft delete (can be restored) value: permanent: false success: true description: Indicates a successful response summary: Delete conversation attachment tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to rename. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: renameAttachmentExample: description: Example request for renaming an attachment value: description: Updated attachment name schema: additionalProperties: false type: object properties: description: description: The new description/name for the attachment. type: string required: - description responses: '200': content: application/json: examples: renameAttachmentResponseExample: description: Example response returning the renamed attachment (version unchanged) value: attachment: active: true current_version: 1 description: Updated attachment name id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: Content remains the same estimated_tokens: 10 version: 1 success: true description: Indicates a successful response summary: Rename attachment tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to update. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: updateAttachmentContentExample: description: Example request for updating attachment content value: data: This is the updated content updateAttachmentWithDescriptionExample: description: Example request for updating both content and description value: data: New content version description: Updated meeting notes - v2 schema: additionalProperties: false type: object properties: data: {} description: description: Optional new description for the attachment. type: string required: - data responses: '200': content: application/json: examples: updateAttachmentResponseExample: description: Example response returning the updated attachment with new version value: attachment: active: true current_version: 2 description: Meeting notes id: att-abc123 type: text versions: - content_hash: sha256-abc created_at: '2025-01-06T10:00:00.000Z' data: Original content estimated_tokens: 10 version: 1 - content_hash: sha256-def created_at: '2025-01-06T11:00:00.000Z' data: This is the updated content estimated_tokens: 12 version: 2 new_version: 2 description: Indicates a successful response summary: Update conversation attachment tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to restore. in: path name: attachment_id required: true schema: type: string responses: '200': content: application/json: examples: restoreAttachmentResponseExample: description: Example response returning the restored attachment value: attachment: active: true current_version: 1 description: Restored attachment id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: Restored content estimated_tokens: 10 version: 1 success: true description: Indicates a successful response summary: Restore deleted attachment tags: - agent builder x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to update. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: updateOriginExample: description: Example request for linking an attachment to a saved visualization value: origin: abc123 schema: additionalProperties: false type: object properties: origin: description: The origin string (e.g., saved object ID for visualizations and dashboards). type: string required: - origin responses: '200': content: application/json: examples: updateOriginResponseExample: description: Example response returning the attachment with updated origin value: attachment: active: true current_version: 1 description: Sales chart id: att-123 origin: abc123 type: visualization versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: chart_type: bar esql: FROM sales | STATS count=COUNT(*) BY month query: Show monthly sales visualization: {} estimated_tokens: 50 version: 1 success: true description: Indicates a successful response summary: Update attachment origin tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/stale: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id-attachments-stale parameters: - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: checkStaleAttachmentsResponseExample: description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' value: attachments: - id: att-text-meeting-notes is_stale: false - id: att-lens-active-users is_stale: false - error: Origin could not be resolved id: att-query-attachment is_stale: false - data: This is the content of my text attachment hidden: false id: att-text-runbook is_stale: true origin: document:hr-onboarding-v2 type: text description: Indicates a successful response summary: Check attachment staleness tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/converse: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/converse
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-converse parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: converseRequestExample: description: Example request to send a message to the agent as a part of the conversation value: agent_id: elastic-ai-agent connector_id: my-connector-id input: What is Elasticsearch? converseRequestInferenceExample: description: Example using inference_id (mutually exclusive with connector_id) value: agent_id: elastic-ai-agent inference_id: my-inference-endpoint-id input: What is Elasticsearch? schema: additionalProperties: false type: object properties: _execution_mode: description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' enum: - local - task_manager type: string action: description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. enum: - regenerate type: string agent_id: default: elastic-ai-agent description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. type: string attachments: description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' items: additionalProperties: false type: object properties: data: additionalProperties: {} description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). type: object hidden: description: When true, the attachment will not be displayed in the UI. type: boolean id: description: Optional id for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. type: string type: description: Type of the attachment. type: string required: - type type: array browser_api_tools: description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. items: additionalProperties: false type: object properties: description: description: Description of what the browser API tool does. type: string id: description: Unique identifier for the browser API tool. type: string schema: {} required: - id - description - schema type: array capabilities: additionalProperties: false description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. type: object properties: visualizations: description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean configuration_overrides: additionalProperties: false description: Runtime configuration overrides. These override the stored agent configuration for this execution only. type: object properties: instructions: description: Custom instructions for the agent. type: string tools: description: Tool selection to enable for this execution. items: additionalProperties: false type: object properties: tool_ids: items: type: string type: array required: - tool_ids type: array connector_id: description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. nullable: true type: string conversation_id: description: Optional existing conversation ID to continue a previous conversation. type: string inference_id: description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. nullable: true type: string input: description: The user input message to send to the agent. type: string prompts: additionalProperties: additionalProperties: false type: object properties: allow: type: boolean required: - allow description: Can be used to respond to a confirmation prompt. type: object responses: '200': content: application/json: examples: converseResponseExample: description: Example response containing the chain of events representing a conversation with the agent value: conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 response: message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. steps: - reasoning: Searching for official documentation or content that explains what Elasticsearch is type: reasoning - params: query: what is elasticsearch definition overview introduction progression: - message: Selecting the best target for this query results: - data: message: Could not figure out which index to use type: error tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ tool_id: platform.core.search type: tool_call description: Indicates a successful response summary: Send chat message tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/converse" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": "What is Elasticsearch?", "agent_id": "elastic-ai-agent"}' - lang: Console source: | POST kbn://api/agent_builder/converse { "input": "What is Elasticsearch?", "agent_id": "elastic-ai-agent" } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/converse/async: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/converse/async
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. ## Event types The endpoint emits Server-Sent Events (SSE) with the following custom event types: `conversation_id_set` Sets the conversation ID. Schema: ```json { "conversation_id": "uuid" } ``` --- `conversation_created` Fires when a new conversation is persisted and assigned an ID. Schema: ```json { "conversation_id": "uuid", "title": "conversation title" } ``` --- `conversation_updated` Fires when a conversation is updated. Schema: ```json { "conversation_id": "uuid", "title": "updated conversation title" } ``` --- `reasoning` Handles reasoning-related data. Schema: ```json { "reasoning": "plain text reasoning content", "transient": false } ``` --- `tool_call` Triggers when a tool is invoked. Schema: ```json { "tool_call_id": "uuid", "tool_id": "tool_name", "params": {} } ``` --- `tool_progress` Reports progress of a running tool. Schema: ```json { "tool_call_id": "uuid", "message": "progress message" } ``` --- `tool_result` Returns results from a completed tool call. Schema: ```json { "tool_call_id": "uuid", "tool_id": "tool_name", "results": [] } ``` **Note:** `results` is an array of `ToolResult` objects. --- `message_chunk` Streams partial text chunks. Schema: ```json { "message_id": "uuid", "text_chunk": "partial text" } ``` --- `message_complete` Indicates message stream is finished. Schema: ```json { "message_id": "uuid", "message_content": "full text content of the message" } ``` --- `thinking_complete` Marks the end of the thinking/reasoning phase. Schema: ```json { "time_to_first_token": 0 } ``` **Note:** `time_to_first_token` is in milliseconds. --- `round_complete` Marks end of one conversation round. Schema: ```json { "round": {} } ``` **Note:** `round` contains the full round json object. --- ## Event flow A typical conversation round emits events in this sequence: 1. `reasoning` (potentially multiple, some transient) 2. `tool_call` (if tools are used) 3. `tool_progress` (zero or more progress updates) 4. `tool_result` (when tool completes) 5. `thinking_complete` 6. `message_chunk` (multiple, as text streams) 7. `message_complete` 8. `round_complete`

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-converse-async parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: converseAsyncRequestExample: description: Example request to send a message to the agent as a part of the conversation value: agent_id: elastic-ai-agent conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 input: Hello converseAsyncRequestInferenceExample: description: Example using inference_id (mutually exclusive with connector_id) value: agent_id: elastic-ai-agent inference_id: my-inference-endpoint-id input: Hello schema: additionalProperties: false type: object properties: _execution_mode: description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' enum: - local - task_manager type: string action: description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. enum: - regenerate type: string agent_id: default: elastic-ai-agent description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. type: string attachments: description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' items: additionalProperties: false type: object properties: data: additionalProperties: {} description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). type: object hidden: description: When true, the attachment will not be displayed in the UI. type: boolean id: description: Optional id for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. type: string type: description: Type of the attachment. type: string required: - type type: array browser_api_tools: description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. items: additionalProperties: false type: object properties: description: description: Description of what the browser API tool does. type: string id: description: Unique identifier for the browser API tool. type: string schema: {} required: - id - description - schema type: array capabilities: additionalProperties: false description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. type: object properties: visualizations: description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean configuration_overrides: additionalProperties: false description: Runtime configuration overrides. These override the stored agent configuration for this execution only. type: object properties: instructions: description: Custom instructions for the agent. type: string tools: description: Tool selection to enable for this execution. items: additionalProperties: false type: object properties: tool_ids: items: type: string type: array required: - tool_ids type: array connector_id: description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. nullable: true type: string conversation_id: description: Optional existing conversation ID to continue a previous conversation. type: string inference_id: description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. nullable: true type: string input: description: The user input message to send to the agent. type: string prompts: additionalProperties: additionalProperties: false type: object properties: allow: type: boolean required: - allow description: Can be used to respond to a confirmation prompt. type: object responses: '200': content: text/event-stream: examples: converseAsyncResponseExample: description: Example stream containing the chain of events representing a conversation with the agent value: - data: data: conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 event: conversation_id_set - data: data: reasoning: Starting with a general search to understand what content is available. event: reasoning - data: data: params: query: latest documents tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg tool_id: platform.core.search event: tool_call - data: data: results: - data: message: Could not figure out which index to use type: error tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg event: tool_result - data: data: round: id: a5692d54-bc06-4a6e-aea1-412779c73f66 input: message: Hello response: message: Hello! How can I help you today? event: round_complete description: Indicates a successful response summary: Send chat message (streaming) tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": "Hello again let us have an async chat", "agent_id": "elastic-ai-agent", "conversation_id": "" }' - lang: Console source: | POST kbn://api/agent_builder/converse/async { "input": "Hello again let's have an async chat", "agent_id": "elastic-ai-agent", "conversation_id": "" } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/mcp: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/mcp
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. > warn > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-mcp parameters: - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. in: query name: namespace required: false schema: type: string requestBody: content: application/json: examples: mcpInitializeRequestExample: description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' value: id: 1 jsonrpc: '2.0' method: initialize params: capabilities: {} clientInfo: name: test-client version: 1.0.0 protocolVersion: '2024-11-05' schema: {} responses: '200': content: application/json: examples: mcpInitializeResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: id: 1 jsonrpc: '2.0' result: capabilities: tools: listChanged: true protocolVersion: '2024-11-05' serverInfo: name: elastic-mcp-server version: 0.0.1 description: Indicates a successful response summary: MCP server tags: - agent builder x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/plugins: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/plugins
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-plugins parameters: [] responses: '200': content: application/json: examples: listPluginsResponseExample: description: Example response that returns one installed plugin value: results: - created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: List plugins tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/plugins x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/plugins/{pluginId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. operationId: delete-agent-builder-plugins-pluginid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the plugin. in: path name: pluginId required: true schema: type: string - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deletePluginResponseExample: description: Example response showing that deletion of the plugin has been successful value: success: true description: Indicates a successful response summary: Delete a plugin tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/plugins/{id} x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-plugins-pluginid parameters: - description: The unique identifier of the plugin. in: path name: pluginId required: true schema: type: string responses: '200': content: application/json: examples: getPluginByIdResponseExample: description: Example response returning a single installed plugin value: created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: Get a plugin by id tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/plugins/{id} x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/plugins/install: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/plugins/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. operationId: post-agent-builder-plugins-install parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: installPluginFromGithubExample: description: Example request for installing a plugin from a GitHub URL value: url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis installPluginFromZipExample: description: Example request for installing a plugin from a direct zip URL value: url: https://my-server.example.com/my-plugin.zip installPluginWithNameOverrideExample: description: Example request for installing a plugin with a custom name value: plugin_name: my-custom-plugin-name url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis schema: additionalProperties: false type: object properties: plugin_name: description: Optional name override for the plugin. Defaults to the manifest name. type: string url: description: URL to install the plugin from (GitHub URL or direct zip URL). type: string required: - url responses: '200': content: application/json: examples: installPluginResponseExample: description: Example response returning the definition of the installed plugin value: created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: Install a plugin tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" }' - lang: Console source: | POST kbn://api/agent_builder/plugins/install { "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" } x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/skills: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-skills parameters: - description: Set to true to include skills from plugins. in: query name: include_plugins required: false schema: default: false type: boolean responses: {} summary: List skills tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: post-agent-builder-skills parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: content: description: Skill instructions content (markdown). type: string description: description: Description of what the skill does. type: string id: description: Unique identifier for the skill. type: string name: description: Human-readable name for the skill. type: string referenced_content: items: additionalProperties: false type: object properties: content: description: Content of the reference. type: string name: description: Name of the referenced content. type: string relativePath: description: Relative path of the referenced content. type: string required: - name - relativePath - content maxItems: 100 type: array tool_ids: default: [] description: Tool IDs from the tool registry that this skill references. items: description: Tool ID from the tool registry. type: string maxItems: 100 type: array required: - id - name - description - content responses: {} summary: Create a skill tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/skills/{skillId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: delete-agent-builder-skills-skillid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deleteSkillResponseExample: description: Example response showing that the deletion operation was successful value: success: true description: Indicates a successful response summary: Delete a skill tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn:/api/agent_builder/skills/{skillId} x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-skills-skillid parameters: - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string responses: {} summary: Get a skill by id tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: put-agent-builder-skills-skillid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: content: description: Updated skill instructions content. type: string description: description: Updated description. type: string name: description: Updated name for the skill. type: string referenced_content: items: additionalProperties: false type: object properties: content: description: Content of the reference. type: string name: description: Name of the referenced content. type: string relativePath: description: Relative path of the referenced content. type: string required: - name - relativePath - content maxItems: 100 type: array tool_ids: description: Updated tool IDs from the tool registry. items: description: Updated tool ID. type: string maxItems: 100 type: array responses: {} summary: Update a skill tags: - agent builder x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/tools: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-tools parameters: [] responses: '200': content: application/json: examples: listToolsResponseExample: description: Example response returning a list of existing tools value: results: - configuration: {} description: |- A powerful tool for searching and analyzing data within your Elasticsearch cluster. It supports both full-text relevance searches and structured analytical queries. Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. Examples of queries: - "find articles about serverless architecture" - "search for support tickets mentioning 'billing issue' or 'refund request'" - "what is our policy on parental leave?" - "list all products where the category is 'electronics'" - "show me the last 5 documents from that index" - "show me the sales over the last year break down by month" Note: - The 'index' parameter can be used to specify which index to search against. If not provided, the tool will decide itself which is the best index to use. - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already know about the index and fields you want to search on, e.g. if the user explicitly specified it. id: platform.core.search readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: index: description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. type: string query: description: A natural language query expressing the search request type: string required: - query tags: [] type: builtin - configuration: {} description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. id: platform.core.get_document_by_id readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: id: description: ID of the document to retrieve type: string index: description: Name of the index to retrieve the document from type: string required: - id - index tags: [] type: builtin - configuration: {} description: |- Execute an ES|QL query and return the results in a tabular format. **IMPORTANT**: This tool only **runs** queries; it does not write them. Think of this as the final step after a query has been prepared. You **must** get the query from one of two sources before calling this tool: 1. The output of the `platform.core.generate_esql` tool (if the tool is available). 2. A verbatim query provided directly by the user. Under no circumstances should you invent, guess, or modify a query yourself for this tool. If you need a query, use the `platform.core.generate_esql` tool first. id: platform.core.execute_esql readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: query: description: The ES|QL query to execute type: string required: - query tags: [] type: builtin - configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql - configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: List tools tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn:/api/agent_builder/tools x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: post-agent-builder-tools parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createEsqlToolRequest: description: Example request to create an ESQL query tool with a pre-defined query value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool tags: - analytics - finance type: esql createIndexSearchToolRequest: description: Example request to create an index_search tool with a pre-defined index pattern value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool tags: - search - finance type: index_search schema: additionalProperties: false type: object properties: configuration: additionalProperties: {} description: Tool-specific configuration parameters. See examples for details. type: object description: default: '' description: Description of what the tool does. type: string id: description: Unique identifier for the tool. type: string tags: default: [] description: Optional tags for categorizing and organizing tools. items: description: Tag for categorizing the tool. type: string type: array type: description: The type of tool to create (e.g., esql, index_search). enum: - esql - index_search - workflow - mcp type: string required: - id - type - configuration responses: '200': content: application/json: examples: createEsqlToolExample: description: Example response returning a definition of ESQL tool created value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql createIndexSearchToolExample: description: Example response returning a definition of search tool tool created value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: Create a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "id": "example-esql-tool", "type": "esql", "description": "Example ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } }' - lang: Console source: | POST kbn:/api/agent_builder/tools { "id": "example-esql-tool", "type": "esql", "description": "An ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/tools/_execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/tools/_execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-tools-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: executeBuiltinEsqlToolRequest: description: Example request executing platform.core.execute_esql tool value: tool_id: platform.core.execute_esql tool_params: query: FROM financial_trades | LIMIT 3 executeBuiltinToolRequest: description: Example request executing platform.core.get_document_by_id tool value: tool_id: platform.core.get_document_by_id tool_params: id: TRD-20250805-0820a89f index: financial_trades executeCustomEsqlToolRequest: description: Example request executing custom example-esql-tool tool value: tool_id: example-esql-tool tool_params: limit: 3 startTime: '2024-01-01T00:00:00Z' executeIndexSearchToolRequest: description: Example request executing custom example-index-search-tool tool value: tool_id: example-index-search-tool tool_params: nlQuery: find trades with high execution prices above 100 schema: additionalProperties: false type: object properties: connector_id: description: Optional connector ID for tools that require external integrations. type: string tool_id: description: The ID of the tool to execute. type: string tool_params: additionalProperties: {} description: Parameters to pass to the tool execution. See examples for details type: object required: - tool_id - tool_params responses: '200': content: application/json: examples: executeBuiltinEsqlToolExample: description: Example response calling built-in platform.core.execute_esql tool value: results: - data: esql: FROM financial_trades | LIMIT 3 type: query - data: columns: - name: account_id type: keyword - name: execution_price type: double - name: symbol type: keyword - name: trade_type type: keyword query: FROM financial_trades | LIMIT 3 source: esql values: - - ACC00179-1f91 - 43.77000045776367 - CVX - sell - - ACC00407-0bbb - 660.4199829101562 - V - buy - - ACC00179-1f91 - 440.3599853515625 - KO - buy tool_result_id: xTpT type: esql_results executeBuiltinToolExample: description: Example response calling built-in platform.core.get_document_by_id tool value: results: - data: content: account_id: ACC00271-fb5c execution_price: 488.54 execution_timestamp: '2025-08-05T08:04:11.649855' last_updated: '2025-09-15T13:23:36' order_status: executed order_type: market quantity: 131 status_reason: fully_filled symbol: EWL trade_cost: 63998.74 trade_id: TRD-20250805-0820a89f trade_type: sell partial: false reference: id: TRD-20250805-0820a89f index: financial_trades type: resource executeCustomEsqlToolExample: description: Example response calling custom example-esql-tool tool value: results: - data: columns: - name: trade_count type: long - name: avg_price type: double - name: symbol type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit source: esql values: - - 2115 - 89.33911587329621 - US_T_BOND_20YR - - 2112 - 104.20854155945055 - INTL_CORP_ASIA_D - - 2105 - 89.93244177666526 - INTL_CORP_EU_B tool_result_id: Voy8 type: esql_results executeIndexSearchToolExample: description: Example response calling custom example-index-search-tool tool value: results: - data: esql: |- FROM financial_trades | WHERE execution_price > 100 | LIMIT 100 type: query - data: columns: - name: account_id type: keyword - name: execution_price type: double - name: execution_timestamp type: date - name: symbol type: keyword - name: trade_type type: keyword query: |- FROM financial_trades | WHERE execution_price > 100 | LIMIT 100 source: esql values: - - ACC00407-0bbb - 660.4199829101562 - '2020-09-25T11:06:08.687Z' - V - buy - - ACC00179-1f91 - 440.3599853515625 - '2025-08-07T21:56:45.377Z' - KO - buy - - ACC00407-0bbb - 132.8800048828125 - '2020-11-19T04:39:13.655Z' - JAP_JGB_10YR - sell tool_result_id: uE8y type: esql_results description: Indicates a successful response summary: Run a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "tool_id": "platform.core.search", "tool_params": { "query": "can you find john doe's email from the employee index?"} } }' - lang: Console source: | POST kbn:/api/agent_builder/tools/_execute { "tool_id": "platform.core.search", "tool_params": { "query": "can you find john doe's email from the employee index?" } } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/agent_builder/tools/{toolId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: delete-agent-builder-tools-toolid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the tool to delete. in: path name: toolId required: true schema: type: string - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deleteAgentResponseExample: description: Example response showing that the deletion operation was successful value: success: true description: Indicates a successful response summary: Delete a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn:/api/agent_builder/tools/{toolId} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-tools-toolid parameters: - description: The unique identifier of the tool to retrieve. in: path name: toolId required: true schema: type: string responses: '200': content: application/json: examples: getBuiltinToolExample: description: Example response returning built-in platform.core.search tool value: configuration: {} description: |- A powerful tool for searching and analyzing data within your Elasticsearch cluster. It supports both full-text relevance searches and structured analytical queries. Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. Examples of queries: - "find articles about serverless architecture" - "search for support tickets mentioning 'billing issue' or 'refund request'" - "what is our policy on parental leave?" - "list all products where the category is 'electronics'" - "show me the last 5 documents from that index" - "show me the sales over the last year break down by month" Note: - The 'index' parameter can be used to specify which index to search against. If not provided, the tool will decide itself which is the best index to use. - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already know about the index and fields you want to search on, e.g. if the user explicitly specified it. id: platform.core.search readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: index: description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. type: string query: description: A natural language query expressing the search request type: string required: - query tags: [] type: builtin getEsqlToolExample: description: Example response returning custom example-esql-tool tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql getIndexSearchToolExample: description: Example response returning custom example-index-search-tool tool value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: Get a tool by id tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn:/api/agent_builder/tools/{toolId} x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: put-agent-builder-tools-toolid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the tool to update. in: path name: toolId required: true schema: type: string requestBody: content: application/json: examples: updateEsqlToolRequest: description: Example request to update the custom ESQL tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering tags: - analytics - finance - reporting updateIndexSearchToolRequest: description: Example request to update the custom Search tool value: description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring tags: - search - finance - compliance - reporting schema: additionalProperties: false type: object properties: configuration: additionalProperties: {} description: Updated tool-specific configuration parameters. See examples for details. type: object description: description: Updated description of what the tool does. type: string tags: description: Updated tags for categorizing and organizing tools. items: description: Updated tag for categorizing the tool. type: string type: array responses: '200': content: application/json: examples: updateEsqlToolExample: description: Example response showing the updated ESQL tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the enhanced query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: string required: - startTime - symbolPattern - limit tags: - analytics - finance - reporting type: esql updateIndexSearchToolExample: description: Example response showing the updated Search tool value: configuration: pattern: financial_* description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance - compliance - reporting type: index_search description: Indicates a successful response summary: Update a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } }' - lang: Console source: | PUT kbn:/api/agent_builder/tools/{toolId} { "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } } x-state: Added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/alerting/_health: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/_health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. operationId: getAlertingHealth responses: '200': content: application/json: examples: getAlertingHealthResponse: $ref: '#/components/examples/Alerting_get_health_response' schema: type: object properties: alerting_framework_health: description: | Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. type: object properties: decryption_health: description: The timestamp and status of the rule decryption. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string execution_health: description: The timestamp and status of the rule run. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string read_health: description: The timestamp and status of the rule reading events. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string has_permanent_encryption_key: description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. example: true type: boolean is_sufficiently_secure: description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the alerting framework health tags: - alerting x-metaTags: - content: Kibana name: product_name /api/alerting/rule_types: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rule_types
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. operationId: getRuleTypes responses: '200': content: application/json: examples: getRuleTypesResponse: $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: type: object properties: action_groups: description: | An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. items: type: object properties: id: type: string name: type: string type: array action_variables: description: | A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. type: object properties: context: items: type: object properties: description: type: string name: type: string useWithTripleBracesInTemplates: type: boolean type: array params: items: type: object properties: description: type: string name: type: string type: array state: items: type: object properties: description: type: string name: type: string type: array alerts: description: | Details for writing alerts as data documents for this rule type. type: object properties: context: description: | The namespace for this rule type. enum: - ml.anomaly-detection - observability.apm - observability.logs - observability.metrics - observability.slo - observability.threshold - observability.uptime - security - stack type: string dynamic: description: Indicates whether new fields are added dynamically. enum: - 'false' - runtime - strict - 'true' type: string isSpaceAware: description: | Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. type: boolean mappings: type: object properties: fieldMap: additionalProperties: $ref: '#/components/schemas/Alerting_fieldmap_properties' description: | Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. type: object secondaryAlias: description: | A secondary alias. It is typically used to support the signals alias for detection rules. type: string shouldWrite: description: | Indicates whether the rule should write out alerts as data. type: boolean useEcs: description: | Indicates whether to include the ECS component template for the alerts. type: boolean useLegacyAlerts: default: false description: | Indicates whether to include the legacy component template for the alerts. type: boolean authorized_consumers: description: The list of the plugins IDs that have access to the rule type. type: object properties: alerts: type: object properties: all: type: boolean read: type: boolean apm: type: object properties: all: type: boolean read: type: boolean discover: type: object properties: all: type: boolean read: type: boolean infrastructure: type: object properties: all: type: boolean read: type: boolean logs: type: object properties: all: type: boolean read: type: boolean ml: type: object properties: all: type: boolean read: type: boolean monitoring: type: object properties: all: type: boolean read: type: boolean siem: type: object properties: all: type: boolean read: type: boolean slo: type: object properties: all: type: boolean read: type: boolean stackAlerts: type: object properties: all: type: boolean read: type: boolean uptime: type: object properties: all: type: boolean read: type: boolean category: description: The rule category, which is used by features such as category-specific maintenance windows. enum: - management - observability - securitySolution type: string default_action_group_id: description: The default identifier for the rule type group. type: string does_set_recovery_context: description: Indicates whether the rule passes context variables to its recovery action. type: boolean enabled_in_license: description: Indicates whether the rule type is enabled or disabled based on the subscription. type: boolean has_alerts_mappings: description: Indicates whether the rule type has custom mappings for the alert data. type: boolean has_fields_for_a_a_d: type: boolean id: description: The unique identifier for the rule type. type: string is_exportable: description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. type: boolean minimum_license_required: description: The subscriptions required to use the rule type. example: basic type: string name: description: The descriptive name of the rule type. type: string producer: description: An identifier for the application that produces this rule type. example: stackAlerts type: string recovery_action_group: description: An action group to use when an alert goes from an active state to an inactive one. type: object properties: id: type: string name: type: string rule_task_timeout: example: 5m type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the rule types tags: - alerting x-metaTags: - content: Kibana name: product_name /api/alerting/rule/{id}: delete: operationId: delete-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: get-alerting-rule-id parameters: - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: post-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. If it is omitted, an ID is randomly generated. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: createEsQueryEsqlRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (ES|QL) value: actions: - frequency: notify_when: onActiveAlert summary: false group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} consumer: stackAlerts name: my Elasticsearch query ESQL rule params: esqlQuery: esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createEsQueryKqlRuleRequest: description: Create an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: consumer: alerts name: my Elasticsearch query KQL rule params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .es-query schedule: interval: 1m createEsQueryRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (DSL) value: actions: - frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - frequency: notify_when: onActionGroupChange summary: false group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered consumer: alerts name: my Elasticsearch query rule params: esQuery: '"""{"query":{"match_all" : {}}}"""' index: - kibana_sample_data_logs size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createIndexThresholdRuleRequest: description: | Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 48de3460-f401-11ed-9f8e-399c75a2deeb params: level: info message: |- Rule '{{rule.name}}' is active for group '{{context.group}}': - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} alert_delay: active: 3 consumer: alerts name: my rule params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu createTrackingContainmentRuleRequest: description: | Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. summary: Tracking containment rule value: consumer: alerts name: my tracking rule params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField": '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 rule_type_id: .geo-containment schedule: interval: 1h schema: anyOf: - discriminator: mapping: .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' propertyName: rule_type_id oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' - additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. type: object rule_type_id: description: The rule type identifier. type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id responses: '200': content: application/json: examples: createEsQueryEsqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). summary: Elasticsearch query rule (ES|QL) value: actions: - connector_type_id: .server-log frequency: notify_when: onActiveAlert summary: false throttle: null group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} uuid: bfe370a3-531b-4855-bbe6-ad739f578844 api_key_created_by_user: false api_key_owner: elastic consumer: stackAlerts created_at: '2023-11-01T19:00:10.453Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-11-01T19:00:10.453Z' status: pending id: e0d62360-78e8-11ee-9177-f7d404c8c945 mute_all: false muted_alert_ids: [] name: my Elasticsearch query ESQL rule notify_when: null params: aggType: count esqlQuery: esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 excludeHitsFromPreviousRun": true, groupBy: all searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 tags: [] throttle: null updated_at: '2023-11-01T19:00:10.453Z' updated_by: elastic", createEsQueryKqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-07-14T20:24:50.729Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-07-14T20:24:50.729Z' status: pending id: 7bd506d0-2284-11ee-8fad-6101956ced88 mute_all: false muted_alert_ids: [] name: my Elasticsearch query KQL rule" notify_when: null params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .es-query running: false schedule: interval: 1m scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 tags: [] throttle: null updated_at: '2023-07-14T20:24:50.729Z' updated_by: elastic createEsQueryRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). summary: Elasticsearch query rule (DSL) value: actions: - connector_type_id: .server-log frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-08-22T00:03:38.263Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-08-22T00:03:38.263Z' status: pending id: 58148c70-407f-11ee-850e-c71febc4ca7f mute_all: false muted_alert_ids: [] name: my Elasticsearch query rule notify_when: null params: aggType: count esQuery: '"""{"query":{"match_all" : {}}}"""' excludeHitsFromPreviousRun: true groupBy: all index: - kibana_sample_data_logs searchType: esQuery size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f tags: [] throttle: null updated_at: '2023-08-22T00:03:38.263Z' updated_by: elastic createIndexThresholdRuleResponse: description: The response for successfully creating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group} : - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d alert_delay: active: 3 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-06-08T17:20:31.632Z' created_by: elastic enabled: true execution_status: last_execution_date: '2022-06-08T17:20:31.632Z' status: pending id: 41893910-6bca-11eb-9e0d-85d233e3ee35 mute_all: false muted_alert_ids: [] name: my rule notify_when: null params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 tags: - cpu throttle: null updated_at: '2022-06-08T17:20:31.632Z' updated_by: elastic createTrackingContainmentRuleResponse: description: The response for successfully creating a tracking containment rule. summary: Tracking containment rule value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-02-14T19:52:55.920Z' created_by: elastic enabled: true execution_status: last_duration: 74 last_execution_date: '2024-02-15T03:25:38.125Z' status: ok id: b6883f9d-5f70-4758-a66e-369d7c26012f last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: my tracking rule next_run: '2024-02-15T03:26:38.033Z' notify_when: null params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField: '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 revision: 1 rule_type_id: .geo-containment running: false schedule: interval: 1h scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f tags: [] throttle: null updated_at: '2024-02-15T03:24:32.574Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '409': description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: put-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateRuleRequest: description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} name: new name params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m schedule: interval: 1m tags: [] schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. type: object schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] items: description: The tags for the rule. type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - schedule responses: '200': content: application/json: examples: updateRuleResponse: description: The response for successfully updating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-03-26T23:13:20.985Z' created_by: elastic enabled: true execution_status: last_duration: 52 last_execution_date: '2024-03-26T23:22:51.390Z' status: ok id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: new name next_run: '2024-03-26T23:23:51.316Z' params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea tags: [] throttle: null updated_at: '2024-03-26T23:22:59.949Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_disable: post: operationId: post-alerting-rule-id-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: untrack: description: Defines whether this rule's alerts should be untracked. type: boolean x-oas-optional: true responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_enable: post: operationId: post-alerting-rule-id-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_mute_all: post: operationId: post-alerting-rule-id-mute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Mute all alerts tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_unmute_all: post: operationId: post-alerting-rule-id-unmute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Unmute all alerts tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_update_api_key: post: operationId: post-alerting-rule-id-update-api-key parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/snooze_schedule: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. operationId: post-alerting-rule-id-snooze-schedule parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Identifier of the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - schedule responses: '200': content: application/json: schema: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration id: description: Identifier of the snooze schedule. type: string required: - id required: - schedule required: - body description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Schedule a snooze for the rule tags: - alerting x-state: Generally available; added in 8.19.0 x-metaTags: - content: Kibana name: product_name /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string - description: Whether to validate the existence of the alert. in: query name: validate_alerts_existence required: false schema: type: boolean responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: delete: operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: ruleId required: true schema: type: string - description: The identifier for the snooze schedule. in: path name: scheduleId required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Delete a snooze schedule for a rule tags: - alerting x-state: Generally available; added in 8.19.0 x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/_find: get: operationId: get-alerting-rules-find parameters: - description: The number of rules to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search required: false schema: type: string - description: The default operator to use for the simple_query_string. in: query name: default_search_operator required: false schema: default: OR enum: - OR - AND type: string - description: The fields to perform the simple_query_string parsed query against. in: query name: search_fields required: false schema: items: type: string type: array - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. in: query name: sort_field required: false schema: type: string - description: Determines the sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. in: query name: has_reference required: false schema: additionalProperties: false nullable: true type: object properties: id: type: string type: type: string required: - type - id - description: The fields to return in the `attributes` key of the response. in: query name: fields required: false schema: items: type: string type: array - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' in: query name: filter required: false schema: type: string - in: query name: filter_consumers required: false schema: items: description: List of consumers to filter. type: string type: array responses: '200': content: application/json: examples: findConditionalActionRulesResponse: description: A response that contains information about an index threshold rule. summary: Index threshold rule value: data: - actions: - frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 9dca3e00-74f5-11ed-9801-35303b735aef params: connector_type_id: .server-log level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true execution_status: last_duration: 48 last_execution_date: '2022-12-06T01:44:23.983Z' status: ok id: 3583a470-74f6-11ed-9801-35303b735aef last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: my alert next_run: '2022-12-06T01:45:23.912Z' params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold schedule: interval: 1m scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef tags: - cpu throttle: null updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic page: 1 per_page: 10 total: 1 findRulesResponse: description: A response that contains information about a security rule that has conditional actions. summary: Security rule value: data: - actions: - alerts_filter: query: filters: - $state: store: appState meta: alias: null disabled: false field: client.geo.region_iso_code index: c4bdca79-e69e-4d80-82a1-e5192c621bea key: client.geo.region_iso_code negate: false params: query: CA-QC type: phrase query: match_phrase: client.geo.region_iso_code: CA-QC kql: '' timeframe: days: - 7 hours: end: '17:00' start: '08:00' timezone: UTC connector_type_id: .index frequency: notify_when: onActiveAlert summary: true throttle: null group: default id: 49eae970-f401-11ed-9f8e-399c75a2deeb params: documents: - alert_id: '[object Object]': null context_message: '[object Object]': null rule_id: '[object Object]': null rule_name: '[object Object]': null uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: siem created_at: '2023-05-16T15:50:28.358Z' created_by: elastic enabled: true execution_status: last_duration: 166 last_execution_date: '2023-05-16T20:26:49.590Z' status: ok id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: - Rule execution completed successfully outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: security_rule next_run: '2023-05-16T20:27:49.507Z' notify_when: null params: author: [] description: A security threshold rule. exceptionsList: [] falsePositives: [] filters: [] from: now-3660s immutable: false index: - kibana_sample_data_logs language: kuery license: '' maxSignals: 100 meta: from: 1h kibana_siem_app_url: https://localhost:5601/app/security outputIndex: '' query: '*' references: [] riskScore: 21 riskScoreMapping: [] ruleId: an_internal_rule_id severity: low severityMapping: [] threat: [] threshold: cardinality: [] field: - bytes value: 1 to: now type: threshold version: 1 revision: 1 rule_type_id: siem.thresholdRule running: false schedule: interval: 1m scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb tags: [] throttle: null updated_at: '2023-05-16T20:25:42.559Z' updated_by: elastic page: 1 per_page: 10 total: 1 schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/_find: post: operationId: post-alerting-rules-backfill-find parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The end date for filtering backfills. in: query name: end required: false schema: type: string - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: The number of backfills to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: A comma-separated list of rule identifiers. in: query name: rule_ids required: false schema: type: string - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. in: query name: initiator required: false schema: enum: - user - system type: string - description: The start date for filtering backfills. in: query name: start required: false schema: type: string - description: The field to sort backfills by. in: query name: sort_field required: false schema: enum: - createdAt - start type: string - description: The sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: examples: findBackfillResponse: summary: Find backfills response value: data: - created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending page: 1 per_page: 10 total: 1 schema: additionalProperties: false type: object properties: data: items: additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule type: array page: type: number per_page: type: number total: type: number required: - page - per_page - total - data description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Find backfills for rules tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rules/backfill/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/_schedule: post: operationId: post-alerting-rules-backfill-schedule parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: scheduleBackfillRequest: summary: Schedule a backfill for an index threshold rule value: - ranges: - end: '2024-01-02T00:00:00.000Z' start: '2024-01-01T00:00:00.000Z' rule_id: 3583a470-74f6-11ed-9801-35303b735aef schema: items: additionalProperties: false type: object properties: ranges: items: additionalProperties: false type: object properties: end: type: string start: type: string required: - start - end type: array rule_id: type: string run_actions: type: boolean required: - rule_id - ranges maxItems: 100 minItems: 1 type: array responses: '200': content: application/json: examples: scheduleBackfillResponse: summary: Schedule backfill response value: - created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending schema: items: anyOf: - additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule - additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string rule: additionalProperties: false type: object properties: id: type: string name: type: string required: - id status: type: number required: - message - rule required: - error type: array description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Schedule a backfill for rules tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rules/backfill/_schedule
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/{id}: delete: operationId: delete-alerting-rules-backfill-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the backfill. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a backfill with the given ID does not exist. summary: Delete a backfill by ID tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rules/backfill/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: get-alerting-rules-backfill-id parameters: - description: The identifier for the backfill. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getBackfillResponse: summary: Get a backfill for an index threshold rule value: created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending schema: additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a backfill with the given ID does not exist. summary: Get a backfill by ID tags: - alerting x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rules/backfill/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/apm/agent_keys: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/agent_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent key for APM. The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. operationId: createAgentKey parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: createAgentKeyRequest1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_object' required: true responses: '200': content: application/json: examples: createAgentKeyResponse1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_response' description: Agent key created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Create an APM agent key tags: - APM agent keys x-metaTags: - content: Kibana name: product_name /api/apm/fleet/apm_server_schema: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/fleet/apm_server_schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. operationId: saveApmServerSchema parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: type: object properties: schema: additionalProperties: true description: Schema object example: foo: bar type: object required: true responses: '200': content: application/json: examples: saveApmServerSchemaResponseExample1: $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' schema: additionalProperties: false description: The response body is intentionally empty for this endpoint. type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Save APM server schema tags: - APM server schema x-metaTags: - content: Kibana name: product_name /api/apm/services/{serviceName}/annotation: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/services/{serviceName}/annotation
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new annotation for a specific service. operationId: createAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: The name of the service in: path name: serviceName required: true schema: type: string requestBody: content: application/json: examples: createAnnotationRequest1: $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: $ref: '#/components/schemas/APM_UI_create_annotation_object' required: true responses: '200': content: application/json: examples: createAnnotationResponse1: $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_create_annotation_response' description: Annotation created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create a service annotation tags: - APM annotations x-codeSamples: - lang: Curl source: | curl -X POST \ http://localhost:5601/api/apm/services/opbeans-java/annotation \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ -d '{ "@timestamp": "2020-05-08T10:31:30.452Z", "service": { "version": "1.2" }, "message": "Deployment 1.2" }' x-metaTags: - content: Kibana name: product_name /api/apm/services/{serviceName}/annotation/search: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Search for annotations related to a specific service. operationId: getAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: path name: serviceName required: true schema: type: string - description: The environment to filter annotations by in: query name: environment required: false schema: type: string - description: The start date for the search example: '2024-01-01T00:00:00.000Z' in: query name: start required: false schema: format: date-time type: string - description: The end date for the search example: '2024-01-31T23:59:59.999Z' in: query name: end required: false schema: format: date-time type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_annotation_search_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Search for annotations tags: - APM annotations x-metaTags: - content: Kibana name: product_name /api/apm/settings/agent-configuration: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. operationId: deleteAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: deleteAgentConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' schema: $ref: '#/components/schemas/APM_UI_delete_service_object' required: true responses: '200': content: application/json: examples: deleteAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' schema: $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Delete agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. operationId: getAgentConfigurations parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: getAgentConfigurationsResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get a list of agent configurations tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. operationId: createUpdateAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: If the config exists ?overwrite=true is required in: query name: overwrite schema: type: boolean requestBody: content: application/json: examples: createUpdateAgentConfigurationRequestExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' schema: $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' required: true responses: '200': content: application/json: examples: createUpdateAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' schema: additionalProperties: false description: The response body is intentionally empty for this endpoint. type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create or update agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name /api/apm/settings/agent-configuration/agent_name: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve `agentName` for a service. operationId: getAgentNameForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service example: node in: query name: serviceName required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_agent_name_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get agent name for service tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name /api/apm/settings/agent-configuration/environments: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/environments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. operationId: getEnvironmentsForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service. If omitted, environments across all services are returned. example: opbeans-node in: query name: serviceName schema: type: string responses: '200': content: application/json: examples: getEnvironmentsForServiceResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' schema: $ref: '#/components/schemas/APM_UI_service_environments_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get environments for service tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name /api/apm/settings/agent-configuration/search: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/settings/agent-configuration/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. operationId: searchSingleConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: searchSingleConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' required: true responses: '200': content: application/json: examples: searchSingleConfigurationResponse1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Lookup single agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name /api/apm/settings/agent-configuration/view: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/view
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. operationId: getSingleAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Service name example: node in: query name: name schema: type: string - description: Service environment example: prod in: query name: environment schema: type: string responses: '200': content: application/json: examples: getSingleAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' schema: $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get single agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana name: product_name /api/apm/sourcemaps: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/sourcemaps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. operationId: getSourceMaps parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Page number in: query name: page schema: type: number - description: Number of records per page in: query name: perPage schema: type: number responses: '200': content: application/json: examples: getSourceMapsResponse1: $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Get source maps tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/sourcemaps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. operationId: uploadSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/APM_UI_upload_source_map_object' required: true responses: '200': content: application/json: examples: uploadSourceMapResponse1: $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' schema: $ref: '#/components/schemas/APM_UI_upload_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Upload a source map tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ -H 'Content-Type: multipart/form-data' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ -F 'service_name="foo"' \ -F 'service_version="1.0.0"' \ -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' x-metaTags: - content: Kibana name: product_name /api/apm/sourcemaps/{id}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/apm/sourcemaps/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. operationId: deleteSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: Source map identifier in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: deleteSourceMapResponseExample1: $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' schema: additionalProperties: false description: The response body is intentionally empty for this endpoint. type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Delete source map tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' x-metaTags: - content: Kibana name: product_name /api/asset_criticality: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete the asset criticality record for a specific entity. operationId: DeleteAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: If 'wait_for' the request will wait for the index refresh. in: query name: refresh required: false schema: enum: - wait_for type: string responses: '200': content: application/json: schema: type: object properties: deleted: description: True if the record was deleted or false if the record did not exist. type: boolean record: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: The deleted record if it existed. required: - deleted description: Successful response '400': description: Invalid request summary: Delete an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the asset criticality record for a specific entity. operationId: GetAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request '404': description: Criticality record not found summary: Get an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update an asset criticality record for a specific entity. If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. operationId: CreateAssetCriticalityRecord requestBody: content: application/json: schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - type: object properties: refresh: description: If 'wait_for' the request will wait for the index refresh. enum: - wait_for type: string example: criticality_level: high_impact id_field: host.name id_value: my_host required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request summary: Upsert an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/asset_criticality/bulk: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/asset_criticality/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk upsert up to 1000 asset criticality records. If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: schema: example: records: - criticality_level: low_impact id_field: host.name id_value: host-1 - criticality_level: medium_impact id_field: host.name id_value: host-2 type: object properties: records: items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' required: - criticality_level maxItems: 1000 minItems: 1 type: array required: - records responses: '200': content: application/json: schema: example: errors: - index: 0 message: Invalid ID field stats: failed: 1 successful: 1 total: 2 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Bulk upsert asset criticality records tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/asset_criticality/list: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/asset_criticality/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List asset criticality records, paging, sorting and filtering as needed. operationId: FindAssetCriticalityRecords parameters: - description: The field to sort by. in: query name: sort_field required: false schema: enum: - id_value - id_field - criticality_level - '@timestamp' type: string - description: The order to sort by. in: query name: sort_direction required: false schema: enum: - asc - desc type: string - description: The page number to return. in: query name: page required: false schema: minimum: 1 type: integer - description: The number of records to return per page. in: query name: per_page required: false schema: maximum: 1000 minimum: 1 type: integer - description: The kuery to filter by. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: example: page: 1 per_page: 10 records: - '@timestamp': '2024-08-02T14:40:35.705Z' asset: criticality: medium_impact criticality_level: medium_impact host: asset: criticality: medium_impact name: my_other_host id_field: host.name id_value: my_other_host - '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host total: 2 type: object properties: page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Successfully retrieved asset criticality records summary: List asset criticality records tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/attack_discovery/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. operationId: PostAttackDiscoveryBulk requestBody: content: application/json: example: update: enable_field_rendering: false ids: - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 kibana_alert_workflow_status: acknowledged with_replacements: true schema: type: object properties: update: description: Configuration object containing all parameters for the bulk update operation type: object properties: enable_field_rendering: default: false description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false type: boolean ids: description: Array of Attack Discovery IDs to update example: - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 items: type: string type: array kibana_alert_workflow_status: description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts enum: - open - acknowledged - closed example: acknowledged type: string visibility: description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field enum: - not_shared - shared example: shared type: string with_replacements: default: true description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. example: true type: boolean required: - ids required: - update description: Bulk update parameters for Attack discoveries required: true responses: '200': content: application/json: example: data: - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f title: Suspicious process execution on host-01 workflow_status: acknowledged schema: type: object properties: data: description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array required: - data description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the bulk update request example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Bulk update Attack discoveries tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data-raw '{ "update": { "ids": [ "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" ], "kibana_alert_workflow_status": "acknowledged" } }' x-metaTags: - content: Kibana name: product_name /api/attack_discovery/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. operationId: AttackDiscoveryFind parameters: - description: Filter results to Attack discoveries that include any of the provided alert IDs in: query name: alert_ids required: false schema: items: type: string type: array - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. in: query name: connector_names required: false schema: items: type: string type: array - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false in: query name: enable_field_rendering required: false schema: default: false type: boolean - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). example: now in: query name: end required: false schema: type: string - description: Filter results to the Attack discoveries with the specified IDs in: query name: ids required: false schema: items: type: string type: array - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries example: false in: query name: include_unique_alert_ids required: false schema: type: boolean - description: Page number to return (used for pagination). Defaults to 1. example: 1 in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. example: 10 in: query name: per_page required: false schema: default: 10 minimum: 1 type: integer - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) example: '' in: query name: search required: false schema: type: string - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. in: query name: shared required: false schema: type: boolean - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. in: query name: scheduled required: false schema: type: boolean - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. example: '@timestamp' in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' default: '@timestamp' - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. example: desc in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' default: desc - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). example: now-24h in: query name: start required: false schema: type: string - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. example: - open - acknowledged in: query name: status required: false schema: items: enum: - acknowledged - closed - open type: string type: array - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. example: true in: query name: with_replacements required: false schema: default: true type: boolean responses: '200': content: application/json: example: connector_names: - GPT-5 Chat data: - connector_name: GPT-5 Chat id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f title: Suspicious process execution on host-01 page: 1 per_page: 10 total: 1 unique_alert_ids_count: 0 schema: type: object properties: connector_names: description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. items: type: string type: array data: description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array page: description: Current page number of the paginated result set. type: integer per_page: description: Number of items requested per page. type: integer total: description: Total number of Attack discoveries matching the query (across all pages). type: integer unique_alert_ids: description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. items: type: string type: array unique_alert_ids_count: description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. type: integer required: - connector_names - data - page - per_page - total - unique_alert_ids_count description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request payload. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid request payload. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Find Attack discoveries that match the search criteria tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/_generate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/_generate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. operationId: PostAttackDiscoveryGenerate requestBody: content: application/json: example: alertsIndexPattern: .alerts-security.alerts-default anonymizationFields: - allowed: true anonymized: true field: host.name - allowed: true anonymized: true field: user.name - allowed: true anonymized: false field: process.name apiConfig: actionTypeId: .gen-ai connectorId: 12345678-1234-1234-1234-123456789012 connectorName: GPT-5 Chat end: now replacements: {} size: 100 start: now-24h subAction: invokeAI schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' required: true responses: '200': content: application/json: example: execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 schema: type: object properties: execution_uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. example: edd26039-0990-4d9f-9829-2a1fcacb77b5 required: - execution_uuid description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Generate attack discoveries from alerts tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "alertsIndexPattern": ".alerts-security.alerts-default", "anonymizationFields": [ { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "@timestamp", "allowed": true, "anonymized": false, "namespace": "default", "id": "aKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.feature", "allowed": true, "anonymized": false, "namespace": "default", "id": "saiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.data", "allowed": true, "anonymized": false, "namespace": "default", "id": "sqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.entropy", "allowed": true, "anonymized": false, "namespace": "default", "id": "s6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.extension", "allowed": true, "anonymized": false, "namespace": "default", "id": "tKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.metrics", "allowed": true, "anonymized": false, "namespace": "default", "id": "taiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.operation", "allowed": true, "anonymized": false, "namespace": "default", "id": "tqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "t6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.score", "allowed": true, "anonymized": false, "namespace": "default", "id": "uKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.version", "allowed": true, "anonymized": false, "namespace": "default", "id": "uaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "_id", "allowed": true, "anonymized": false, "namespace": "default", "id": "Z6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "agent.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "aaiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.availability_zone", "allowed": true, "anonymized": false, "namespace": "default", "id": "aqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.provider", "allowed": true, "anonymized": false, "namespace": "default", "id": "a6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.region", "allowed": true, "anonymized": false, "namespace": "default", "id": "bKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "destination.ip", "allowed": true, "anonymized": false, "namespace": "default", "id": "baiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "dns.question.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "bqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "dns.question.type", "allowed": true, "anonymized": false, "namespace": "default", "id": "b6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.category", "allowed": true, "anonymized": false, "namespace": "default", "id": "cKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.dataset", "allowed": true, "anonymized": false, "namespace": "default", "id": "caiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.module", "allowed": true, "anonymized": false, "namespace": "default", "id": "cqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.outcome", "allowed": true, "anonymized": false, "namespace": "default", "id": "c6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.Ext.original.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "dKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.hash.sha256", "allowed": true, "anonymized": false, "namespace": "default", "id": "daiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "dqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "d6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "group.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "eKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "group.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "eaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.asset.criticality", "allowed": true, "anonymized": false, "namespace": "default", "id": "eqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "e6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.os.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "fKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.os.version", "allowed": true, "anonymized": false, "namespace": "default", "id": "faiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.risk.calculated_level", "allowed": true, "anonymized": false, "namespace": "default", "id": "fqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.risk.calculated_score_norm", "allowed": true, "anonymized": false, "namespace": "default", "id": "f6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.original_time", "allowed": true, "anonymized": false, "namespace": "default", "id": "gKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.risk_score", "allowed": true, "anonymized": false, "namespace": "default", "id": "gaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.description", "allowed": true, "anonymized": false, "namespace": "default", "id": "gqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "g6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.references", "allowed": true, "anonymized": false, "namespace": "default", "id": "hKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.framework", "allowed": true, "anonymized": false, "namespace": "default", "id": "haiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "hqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "h6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "iKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "iaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "iqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "i6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "jKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "jaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "jqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.severity", "allowed": true, "anonymized": false, "namespace": "default", "id": "j6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.workflow_status", "allowed": true, "anonymized": false, "namespace": "default", "id": "kKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "message", "allowed": true, "anonymized": false, "namespace": "default", "id": "kaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "network.protocol", "allowed": true, "anonymized": false, "namespace": "default", "id": "kqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.bytes_compressed_present", "allowed": true, "anonymized": false, "namespace": "default", "id": "nKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.all_names", "allowed": true, "anonymized": false, "namespace": "default", "id": "naiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.primary.matches", "allowed": true, "anonymized": false, "namespace": "default", "id": "nqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.primary.signature.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "n6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.token.integrity_level_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "oKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.args", "allowed": true, "anonymized": false, "namespace": "default", "id": "k6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.exists", "allowed": true, "anonymized": false, "namespace": "default", "id": "lKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.signing_id", "allowed": true, "anonymized": false, "namespace": "default", "id": "laiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.status", "allowed": true, "anonymized": false, "namespace": "default", "id": "lqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.subject_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "l6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.trusted", "allowed": true, "anonymized": false, "namespace": "default", "id": "mKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.command_line", "allowed": true, "anonymized": false, "namespace": "default", "id": "maiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.executable", "allowed": true, "anonymized": false, "namespace": "default", "id": "mqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.exit_code", "allowed": true, "anonymized": false, "namespace": "default", "id": "m6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.md5", "allowed": true, "anonymized": false, "namespace": "default", "id": "oaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.sha1", "allowed": true, "anonymized": false, "namespace": "default", "id": "oqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.sha256", "allowed": true, "anonymized": false, "namespace": "default", "id": "o6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "pKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.args", "allowed": true, "anonymized": false, "namespace": "default", "id": "paiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.args_count", "allowed": true, "anonymized": false, "namespace": "default", "id": "pqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.exists", "allowed": true, "anonymized": false, "namespace": "default", "id": "p6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.status", "allowed": true, "anonymized": false, "namespace": "default", "id": "qKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.subject_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "qaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.trusted", "allowed": true, "anonymized": false, "namespace": "default", "id": "qqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.command_line", "allowed": true, "anonymized": false, "namespace": "default", "id": "q6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.executable", "allowed": true, "anonymized": false, "namespace": "default", "id": "rKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "raiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.pe.original_file_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "rqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.pid", "allowed": true, "anonymized": false, "namespace": "default", "id": "r6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.working_directory", "allowed": true, "anonymized": false, "namespace": "default", "id": "sKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "rule.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "uqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "rule.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "u6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "source.ip", "allowed": true, "anonymized": false, "namespace": "default", "id": "vKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.framework", "allowed": true, "anonymized": false, "namespace": "default", "id": "vaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "vqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "v6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "wKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "waiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "wqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "w6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "xKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "xaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "xqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.asset.criticality", "allowed": true, "anonymized": false, "namespace": "default", "id": "x6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.domain", "allowed": true, "anonymized": false, "namespace": "default", "id": "yKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "yaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.risk.calculated_level", "allowed": true, "anonymized": false, "namespace": "default", "id": "yqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.risk.calculated_score_norm", "allowed": true, "anonymized": false, "namespace": "default", "id": "y6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.target.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "zKiJW5gB4U27o8XO8oLg" } ], "replacements": {}, "size": 100, "subAction": "invokeAI", "apiConfig": { "connectorId": "12345678-1234-1234-1234-123456789012", "actionTypeId": ".gen-ai" }, "connectorName": "GPT-5 Chat", "end": "now", "start": "now-24h" }' x-metaTags: - content: Kibana name: product_name /api/attack_discovery/generations: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/generations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. operationId: GetAttackDiscoveryGenerations parameters: - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). example: now in: query name: end required: false schema: type: string - description: The maximum number of generations to retrieve example: 50 in: query name: size required: false schema: default: 50 minimum: 1 type: number - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). example: now-24h in: query name: start required: false schema: type: string responses: '200': content: application/json: example: generations: - alerts_context_count: 75 connector_id: chatGpt5_0ChatAzure discoveries: 3 end: '2025-09-29T06:42:44.810Z' execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. start: '2025-09-29T06:42:08.962Z' status: succeeded schema: type: object properties: generations: description: List of Attack Discovery generations items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' type: array required: - generations description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid size parameter. Must be a positive number. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid size parameter. Must be a positive number. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Get the latest Attack Discovery generations metadata for the current user tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/generations/{execution_uuid}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. operationId: GetAttackDiscoveryGeneration parameters: - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 in: path name: execution_uuid required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false in: query name: enable_field_rendering required: false schema: default: false type: boolean - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. example: true in: query name: with_replacements required: false schema: default: true type: boolean responses: '200': content: application/json: example: data: - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f title: Suspicious process execution on host-01 generation: alerts_context_count: 50 discoveries: 1 end: '2025-09-29T06:42:44.810Z' execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 start: '2025-09-29T06:42:08.962Z' status: succeeded schema: type: object properties: data: description: Array of Attack discoveries generated during this execution. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array generation: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. required: - data description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the request example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/generations/{execution_uuid}/_dismiss: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. operationId: PostAttackDiscoveryGenerationsDismiss parameters: - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. example: 46b218d5-535d-4329-be56-d0f6af6986b7 in: path name: execution_uuid required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: example: alerts_context_count: 75 connector_id: chatGpt5_0ChatAzure discoveries: 3 end: '2025-09-29T06:42:44.810Z' execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. start: '2025-09-29T06:42:08.962Z' status: dismissed schema: type: object properties: alerts_context_count: description: The number of alerts that were sent as context to the LLM for this generation. example: 75 type: number connector_id: description: The unique identifier of the connector used to generate the attack discoveries. example: chatGpt5_0ChatAzure type: string connector_stats: description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. type: object properties: average_successful_duration_nanoseconds: description: The average duration in nanoseconds for successful generations using this connector by the current user. example: 47958500000 type: number successful_generations: description: The total number of Attack discoveries successfully created for this generation example: 2 type: number discoveries: description: The number of attack discoveries that were generated during this execution. example: 3 type: number end: description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. example: '2025-09-29T06:42:44.810Z' type: string execution_uuid: description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. example: 46b218d5-535d-4329-be56-d0f6af6986b7 type: string loading_message: description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. type: string reason: description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. example: Connection timeout to AI service type: string start: description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. example: '2025-09-29T06:42:08.962Z' type: string status: description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". enum: - canceled - dismissed - failed - started - succeeded example: dismissed type: string required: - connector_id - discoveries - execution_uuid - loading_message - start - status description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type or category example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the request. example: Invalid request parameters. type: string status_code: description: HTTP status code indicating the type of client error example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Dismiss an Attack Discovery generation tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/schedules: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. operationId: CreateAttackDiscoverySchedules requestBody: content: application/json: example: actions: [] enabled: true name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions required: true responses: '200': content: application/json: example: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: The Attack Discovery schedule was successfully created. '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Create Attack Discovery schedule tags: - Security Attack discovery API x-code-samples: - label: Create an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "name": "Daily Security Analysis", "enabled": true, "params": { "alerts_index_pattern": ".alerts-security.alerts-default", "api_config": { "actionTypeId": "bedrock", "connectorId": "my-bedrock-connector", "name": "Claude 3.5 Sonnet" }, "size": 100, "start": "now-24h", "end": "now" }, "schedule": { "interval": "24h" }, "actions": [ { "action_type_id": ".cases", "id": "system-connector-.cases", "params": { "subAction": "run", "subActionParams": { "timeWindow": "7d", "reopenClosedCases": false, "groupingBy": [], "templateId": null } }, "uuid": "12345678-1234-1234-1234-123456789012" } ] }' x-metaTags: - content: Kibana name: product_name /api/attack_discovery/schedules/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/schedules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. operationId: FindAttackDiscoverySchedules parameters: - description: Page number to return (used for pagination). Defaults to 1. example: 1 in: query name: page required: false schema: type: number - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. example: 10 in: query name: per_page required: false schema: type: number - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. example: asc in: query name: sort_direction required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: example: data: - actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic page: 1 per_page: 10 total: 1 schema: type: object properties: data: description: Array of matched Attack Discovery schedule objects. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' type: array page: description: Current page number of the paginated result set. type: number per_page: description: Number of items requested per page. type: number total: description: Total number of Attack Discovery schedules matching the query (across all pages). type: number required: - page - per_page - total - data description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request payload. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid request payload. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Find Attack Discovery schedules that match the search criteria tags: - Security Attack discovery API x-code-samples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/schedules/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Permanently deletes an Attack Discovery schedule and all associated configuration. operationId: DeleteAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: example: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the deleted Attack Discovery schedule required: - id description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Delete Attack Discovery schedule tags: - Security Attack discovery API x-code-samples: - label: Delete an Attack Discovery schedule lang: curl source: | curl \ --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. operationId: GetAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: example: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 last_execution: date: '2023-10-31T10:00:00.000Z' last_duration: 45.2 status: ok name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Get Attack Discovery schedule by ID tags: - Security Attack discovery API x-code-samples: - label: Get an Attack Discovery schedule by ID lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. operationId: UpdateAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' requestBody: content: application/json: example: actions: [] name: Updated Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 200 start: now-48h schedule: interval: 12h schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. required: true responses: '200': content: application/json: example: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Updated Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 200 start: now-48h schedule: interval: 12h updated_at: '2023-10-31T12:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: Successfully updated Attack Discovery schedule with the new configuration and metadata '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Update Attack Discovery schedule tags: - Security Attack discovery API x-code-samples: - label: Update an Attack Discovery schedule lang: curl source: | curl \ --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "name": "Updated Daily Security Analysis", "params": { "alerts_index_pattern": ".alerts-security.alerts-default", "api_config": { "actionTypeId": "bedrock", "connectorId": "my-bedrock-connector", "name": "Claude 3.5 Sonnet" }, "size": 200, "start": "now-48h", "end": "now" }, "schedule": { "interval": "12h" }, "actions": [] }' x-metaTags: - content: Kibana name: product_name /api/attack_discovery/schedules/{id}/_disable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. operationId: DisableAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: example: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the disabled Attack Discovery schedule required: - id description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Disable Attack Discovery schedule tags: - Security Attack discovery API x-code-samples: - label: Disable an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/attack_discovery/schedules/{id}/_enable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. operationId: EnableAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: example: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the enabled Attack Discovery schedule required: - id description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation '400': content: application/json: example: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Enable Attack Discovery schedule tags: - Security Attack discovery API x-code-samples: - label: Enable an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana name: product_name /api/cases: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_ids' responses: '204': description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Delete cases tags: - cases x-code-samples: - label: curl lang: curl source: | curl \ --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --header "kbn-xsrf: true" - label: Console lang: console source: | DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] x-metaTags: - content: Kibana name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. operationId: updateCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: updateCaseRequest: $ref: '#/components/examples/Cases_update_case_request' schema: $ref: '#/components/schemas/Cases_update_case_request' responses: '200': content: application/json: examples: updateCaseResponse: $ref: '#/components/examples/Cases_update_case_response' schema: items: $ref: '#/components/schemas/Cases_case_response_properties' type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Update cases tags: - cases x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. operationId: createCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: createCaseRequest: $ref: '#/components/examples/Cases_create_case_request' schema: $ref: '#/components/schemas/Cases_create_case_request' required: true responses: '200': content: application/json: examples: createCaseResponse: $ref: '#/components/examples/Cases_create_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Create a case tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/_find: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: findCasesDefaultSpace parameters: - $ref: '#/components/parameters/Cases_assignees_filter' - $ref: '#/components/parameters/Cases_category' - $ref: '#/components/parameters/Cases_defaultSearchOperator' - $ref: '#/components/parameters/Cases_from' - $ref: '#/components/parameters/Cases_owner_filter' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_reporters' - $ref: '#/components/parameters/Cases_search' - $ref: '#/components/parameters/Cases_searchFields' - $ref: '#/components/parameters/Cases_severity' - $ref: '#/components/parameters/Cases_sortField' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_status' - $ref: '#/components/parameters/Cases_tags' - $ref: '#/components/parameters/Cases_to' responses: '200': content: application/json: examples: findCaseResponse: $ref: '#/components/examples/Cases_find_case_response' schema: type: object properties: cases: items: $ref: '#/components/schemas/Cases_case_response_properties' maxItems: 10000 type: array count_closed_cases: type: integer count_in_progress_cases: type: integer count_open_cases: type: integer page: type: integer per_page: type: integer total: type: integer description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Search cases tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/{caseId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: getCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: examples: getDefaultCaseResponse: $ref: '#/components/examples/Cases_get_case_response' getDefaultObservabilityCaseResponse: $ref: '#/components/examples/Cases_get_case_observability_response' schema: $ref: '#/components/schemas/Cases_case_response_get_case' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get case information tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/alerts: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/{caseId}/alerts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseAlertsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: examples: getCaseAlertsResponse: $ref: '#/components/examples/Cases_get_case_alerts_response' schema: items: $ref: '#/components/schemas/Cases_alert_response_properties' type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get all alerts for a case tags: - cases x-state: Technical preview x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/comments: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' responses: '204': description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Delete all case comments and alerts tags: - cases x-codeSamples: - label: curl lang: curl source: | curl \ --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ --header "Authorization: $API_KEY" \ --header "kbn-xsrf: true" - label: Console lang: console source: | DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments x-metaTags: - content: Kibana name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. operationId: updateCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: updateCaseCommentRequest: $ref: '#/components/examples/Cases_update_comment_request' schema: $ref: '#/components/schemas/Cases_update_case_comment_request' required: true responses: '200': content: application/json: examples: updateCaseCommentResponse: $ref: '#/components/examples/Cases_update_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Update a case comment or alert tags: - cases x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. operationId: addCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: createCaseCommentRequest: $ref: '#/components/examples/Cases_add_comment_request' schema: $ref: '#/components/schemas/Cases_add_case_comment_request' required: true responses: '200': content: application/json: examples: createCaseCommentResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Add a case comment or alert tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/comments/_find: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/{caseId}/comments/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: findCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' responses: '200': content: application/json: examples: findCaseCommentsResponse: $ref: '#/components/examples/Cases_find_case_comments_response' schema: $ref: '#/components/schemas/Cases_find_comments_response' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Find case comments tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/comments/{commentId}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '204': description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Delete a case comment or alert tags: - cases x-codeSamples: - label: curl lang: curl source: | curl \ --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ --header "Authorization: $API_KEY" \ --header "kbn-xsrf: true" - label: Console lang: console source: | DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: getCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '200': content: application/json: examples: getCaseCommentResponse: $ref: '#/components/examples/Cases_get_comment_response' schema: oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get a case comment or alert tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/connector/{connectorId}/_push: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. operationId: pushCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_connector_id' - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: pushCaseRequest: summary: Push a case to an external service. No request body is required. value: null schema: nullable: true type: object responses: '200': content: application/json: examples: pushCaseResponse: $ref: '#/components/examples/Cases_push_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Push a case to an external service tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/files: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/cases/{caseId}/files
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - The location of the file that is being uploaded. operationId: addCaseFileDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: multipart/form-data: examples: addCaseFileRequest: summary: Attach a plain text file named "my_attachment". value: filename: my_attachment schema: $ref: '#/components/schemas/Cases_add_case_file_request' required: true responses: '200': content: application/json: examples: addCaseFileResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Attach a file to a case tags: - cases x-codeSamples: - label: curl lang: curl source: | curl \ --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ --header "Authorization: $API_KEY" \ --header "kbn-xsrf: true" \ --form "file=@/path/to/my_attachment.txt" \ --form "filename=my_attachment" x-metaTags: - content: Kibana name: product_name /api/cases/{caseId}/user_actions/_find: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: findCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_user_action_types' responses: '200': content: application/json: examples: findCaseActivityResponse: $ref: '#/components/examples/Cases_find_case_activity_response' schema: type: object properties: page: type: integer perPage: type: integer total: type: integer userActions: items: $ref: '#/components/schemas/Cases_user_actions_find_response_properties' maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Find case activity tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/alerts/{alertId}: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/alerts/{alertId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCasesByAlertDefaultSpace parameters: - $ref: '#/components/parameters/Cases_alert_id' - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getCasesByAlertResponse: summary: Cases associated with a given alert. value: - createdAt: '2020-02-19T23:06:33.798Z' description: Investigating suspicious activity id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 status: open title: security_case totals: alerts: 1 events: 0 userComments: 0 schema: items: $ref: '#/components/schemas/Cases_related_case' maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get cases for an alert tags: - cases x-state: Technical preview x-metaTags: - content: Kibana name: product_name /api/cases/configure: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. operationId: getCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getConfigurationResponse: $ref: '#/components/examples/Cases_get_case_configuration_response' schema: items: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array observableTypes: description: Custom observable type configuration details. items: type: object properties: key: description: The observable type key. example: d312efda-ec2b-42ec-9e2c-84981795c581 type: string label: description: The observable type label. example: My observable type type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get case settings tags: - cases x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/cases/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. operationId: setCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: setCaseConfigRequest: $ref: '#/components/examples/Cases_set_case_configuration_request' schema: $ref: '#/components/schemas/Cases_set_case_configuration_request' responses: '200': content: application/json: examples: setCaseConfigResponse: $ref: '#/components/examples/Cases_set_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array observableTypes: description: Custom observable type configuration details. items: type: object properties: key: description: The observable type key. example: d312efda-ec2b-42ec-9e2c-84981795c581 type: string label: description: The observable type label. example: My observable type type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Add case settings tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/configure/{configurationId}: patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/cases/configure/{configurationId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. operationId: updateCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_configuration_id' requestBody: content: application/json: examples: updateCaseConfigurationRequest: $ref: '#/components/examples/Cases_update_case_configuration_request' schema: $ref: '#/components/schemas/Cases_update_case_configuration_request' responses: '200': content: application/json: examples: updateCaseConfigurationResponse: $ref: '#/components/examples/Cases_update_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array observableTypes: description: Custom observable type configuration details. items: type: object properties: key: description: The observable type key. example: d312efda-ec2b-42ec-9e2c-84981795c581 type: string label: description: The observable type label. example: My observable type type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Update case settings tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/configure/connectors/_find: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/configure/connectors/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. operationId: findCaseConnectorsDefaultSpace responses: '200': content: application/json: examples: findConnectorResponse: $ref: '#/components/examples/Cases_find_connector_response' schema: items: type: object properties: actionTypeId: $ref: '#/components/schemas/Cases_connector_types' config: additionalProperties: true type: object properties: apiUrl: type: string projectKey: type: string id: type: string isDeprecated: type: boolean isMissingSecrets: type: boolean isPreconfigured: type: boolean name: type: string referencedByCount: type: integer maxItems: 1000 type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get case connectors tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/reporters: get: description: | Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. operationId: getCaseReportersDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getReportersResponse: $ref: '#/components/examples/Cases_get_reporters_response' schema: items: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get case creators tags: - cases x-metaTags: - content: Kibana name: product_name /api/cases/tags: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/cases/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseTagsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getTagsResponse: $ref: '#/components/examples/Cases_get_tags_response' schema: items: type: string maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: examples: response401: $ref: '#/components/examples/Cases_response_401' schema: $ref: '#/components/schemas/Cases_response_4xx' description: Authorization information is missing or invalid. summary: Get case tags tags: - cases x-metaTags: - content: Kibana name: product_name /api/dashboards: get: tags: - Dashboards summary: Get dashboards operationId: get-dashboards-redirect description: | > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** responses: '200': description: See the full Dashboards API reference for detailed response schemas. post: tags: - Dashboards summary: Create a dashboard operationId: create-dashboard-redirect description: | > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** responses: '200': description: See the full Dashboards API reference for detailed response schemas. /api/dashboards/{id}: get: tags: - Dashboards summary: Get a dashboard operationId: get-dashboard-redirect description: | > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** responses: '200': description: See the full Dashboards API reference for detailed response schemas. put: tags: - Dashboards summary: Update a dashboard operationId: update-dashboard-redirect description: | > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** responses: '200': description: See the full Dashboards API reference for detailed response schemas. delete: tags: - Dashboards summary: Delete a dashboard operationId: delete-dashboard-redirect description: | > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** responses: '200': description: See the full Dashboards API reference for detailed response schemas. /api/data_views: get: operationId: getAllDataViewsDefault responses: '200': content: application/json: examples: getAllDataViewsResponse: $ref: '#/components/examples/Data_views_get_data_views_response' schema: type: object properties: data_view: items: type: object properties: id: type: string name: type: string namespaces: items: type: string type: array title: type: string typeMeta: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get all data views tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/data_view: post: operationId: createDataViewDefaultw parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: createDataViewRequest: $ref: '#/components/examples/Data_views_create_data_view_request' schema: $ref: '#/components/schemas/Data_views_create_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create a data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/data_view/{viewId}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. WARNING: When you delete a data view, it cannot be recovered. operationId: deleteDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' responses: '204': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a data view tags: - data views x-metaTags: - content: Kibana name: product_name get: operationId: getDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getDataViewResponse: $ref: '#/components/examples/Data_views_get_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: updateDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateDataViewRequest: $ref: '#/components/examples/Data_views_update_data_view_request' schema: $ref: '#/components/schemas/Data_views_update_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/data_view/{viewId}/fields: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update fields presentation metadata such as count, customLabel, customDescription, and format. operationId: updateFieldsMetadataDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateFieldsMetadataRequest: $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: fields: description: The field object. type: object required: - fields required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update data view fields metadata tags: - data views x-metaTags: - content: Kibana name: product_name /api/data_views/data_view/{viewId}/runtime_field: post: operationId: createRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: createRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. summary: Create a runtime field tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: createUpdateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - description: | The ID of the data view fields you want to update. in: path name: viewId required: true schema: type: string requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create or update a runtime field tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: operationId: deleteRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a runtime field from a data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: getRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getRuntimeFieldResponse: $ref: '#/components/examples/Data_views_get_runtime_field_response' schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a runtime field tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: updateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_update_runtime_field_request' schema: type: object properties: runtimeField: description: | The runtime field definition object. You can update following fields: - `type` - `script` type: object required: - runtimeField required: true responses: '200': description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a runtime field tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/default: get: operationId: getDefaultDataViewDefault responses: '200': content: application/json: examples: getDefaultDataViewResponse: $ref: '#/components/examples/Data_views_get_default_data_view_response' schema: type: object properties: data_view_id: type: string description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get the default data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: setDefaultDatailViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: setDefaultDataViewRequest: $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: type: object properties: data_view_id: description: | The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. nullable: true type: string force: default: false description: Update an existing default data view identifier. type: boolean required: - data_view_id required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Set the default data view tags: - data views x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/data_views/swap_references: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/swap_references
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. operationId: swapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: swapDataViewRequest: $ref: '#/components/examples/Data_views_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: deleteStatus: type: object properties: deletePerformed: type: boolean remainingRefs: type: integer result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Swap saved object references tags: - data views x-metaTags: - content: Kibana name: product_name /api/data_views/swap_references/_preview: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/swap_references/_preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview the impact of swapping saved object references from one data view identifier to another. operationId: previewSwapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: previewSwapDataViewRequest: $ref: '#/components/examples/Data_views_preview_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Preview a saved object reference swap tags: - data views x-metaTags: - content: Kibana name: product_name /api/detection_engine/index: delete: operationId: DeleteAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: type: string description: Index does not exist response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Delete an alerts index tags: - Security Detections API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: ReadAlertsIndex responses: '200': content: application/json: examples: success: value: index_mapping_outdated: false name: .alerts-security.alerts-default schema: type: object properties: index_mapping_outdated: nullable: true type: boolean name: type: string required: - name - index_mapping_outdated description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Reads the alert index name if it exists tags: - Security Detections API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates an index for Elastic Security alerts. Calling this API is not required for the detection engine to function properly. You can create rules and alerts without calling this API. operationId: CreateAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Create an alerts index tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/privileges: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules. operationId: ReadPrivileges responses: '200': content: application/json: examples: success: value: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true has_encryption_key: true index: .alerts-security.alerts-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true is_authenticated: true username: elastic schema: type: object properties: has_encryption_key: type: boolean is_authenticated: type: boolean required: - is_authenticated - has_encryption_key description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Returns user privileges for the Kibana space tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `DELETE /api/detection_engine/rules?id=` * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: DeleteRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Delete a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `GET /api/detection_engine/rules?id=` * `rule_id` - `GET /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: ReadRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: examples: example1: summary: Example response for a retrieved rule value: created_at: '2020-02-03T11:19:04.259Z' created_by: elastic description: Process started by MS Office program in user folder enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-4200s id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: process_started_by_ms_office_user_folder setup: '' severity: low tags: - child process - ms office threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 to: now-300s type: query updated_at: '2020-02-03T11:19:04.462Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: | Indicates a successful call. > info > These fields are under development and their usage or schema may change: execution_summary. summary: Retrieve a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" x-metaTags: - content: Kibana name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing detection rule using the `rule_id` or `id` field. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PatchRule requestBody: content: application/json: examples: example1: summary: Patch query rule value: id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: New name example2: summary: Patch EQL rule value: rule_id: process_started_by_ms_office_program_possible_payload threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 example3: summary: Patch threshold rule value: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' threshold: cardinality: [] field: [] value: 600 example4: summary: Patch new terms rule value: history_window_start: now-3d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name example5: summary: Patch esql rule value: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd query: | FROM logs-abc* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) | KEEP event_rate example6: summary: Patch indicator match rule value: id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' example7: summary: Patch machine learning rule value: anomaly_threshold: 50 id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events_ea schema: $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' description: | > info > You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Patch a detection rule tags: - Security Detections API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new detection rule. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. You can create the following types of rules: * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. > info > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: ```json ... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ... ``` Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: * Slack * Email * PagerDuty * Webhook * Microsoft Teams * IBM Resilient * Jira * ServiceNow ITSM > info > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. For detailed information on Kibana actions and alerting, and additional API calls, see: * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) operationId: CreateRule requestBody: content: application/json: examples: example1: description: Query rule that searches for processes started by MS Office summary: Query rule value: description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE related_integrations: - package: o365 version: ^2.3.2 required_fields: - name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query example2: description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address summary: Threshold rule value: description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection from: now-180s index: - winlogbeat-* interval: 2m name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure required_fields: - name: source.ip type: ip risk_score: 30 rule_id: liv-win-ser-logins severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threshold: field: source.ip value: 20 type: threshold example3: description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. summary: Machine learning rule value: actions: - action_type_id: .slack group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 description: Generates alerts when the job discovers anomalies over 70 enabled: true from: now-6m interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs name: Anomalous Linux network activity note: Shut down the internet. risk_score: 70 rule_id: ml_linux_network_high_threshold setup: This rule requires data coming in from Elastic Defend. severity: high tags: - machine learning - Linux type: machine_learning example4: description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections summary: EQL rule value: description: Unusual rundll32.exe network connection language: eql name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] required_fields: - name: event.type type: keyword - name: process.args type: keyword - name: process.args_count type: long - name: process.entity_id type: keyword - name: process.name type: keyword - name: process.pe.original_file_name type: keyword risk_score: 21 rule_id: eql-outbound-rundll32-connections severity: low tags: - EQL - Windows - rundll32.exe type: eql example5: description: | Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. summary: Indicator match rule value: actions: [] description: Checks for bad IP addresses listed in the ip-threat-list index index: - packetbeat-* name: Bad IP threat match query: destination.ip:* or host.ip:* required_fields: - name: destination.ip type: ip - name: destination.port type: long - name: host.ip type: ip risk_score: 50 severity: medium threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' type: threat_match example6: description: New terms rule that creates alerts a new IP address is detected for a user summary: New terms rule value: description: Detects a user associated with a new IP address history_window_start: now-30d index: - auditbeat* language: kuery name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' required_fields: - name: user.id type: keyword - name: source.ip type: ip risk_score: 21 severity: medium type: new_terms example7: description: esql rule that creates alerts from events that match an Excel parent process summary: Esql rule value: description: Find Excel events enabled: false from: now-360s interval: 5m language: esql name: Find Excel events query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" required_fields: - name: process.parent.name type: keyword risk_score: 21 severity: low tags: [] to: now type: esql example8: description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period summary: Query rule 2 value: alert_suppression: duration: unit: h value: 5 group_by: - process.parent.name missing_fields_strategy: suppress description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query schema: $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' required: true responses: '200': content: application/json: examples: example1: description: Example response for a query rule summary: Query rule response value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Process started by MS Office program - possible payload enabled: false false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 - integration: graphactivitylogs package: azure version: ^1.11.4 required_fields: - ecs: true name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 1 example2: description: Example response for a machine learning job rule summary: Machine learning response value: actions: - action_type_id: .slack frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 created_at: '2020-04-07T14:45:15.679Z' created_by: elastic description: Generates alerts when the job discovers anomalies over 70 enabled: true false_positives: [] from: now-6m id: 83876f66-3a57-4a99-bf37-416494c80f3b immutable: false interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs max_signals: 100 name: Anomalous Linux network activity note: Shut down the internet. references: [] related_integrations: [] required_fields: [] risk_score: 70 rule_id: ml_linux_network_high_threshold setup: '' severity: high status: going to run status_date: '2020-04-07T14:45:21.685Z' tags: - machine learning - Linux threat: [] to: now type: machine_learning updated_at: '2020-04-07T14:45:15.892Z' updated_by: elastic version: 1 example3: description: Example response for a threshold rule summary: Threshold rule response value: actions: [] author: [] created_at: '2020-07-22T10:27:23.486Z' created_by: elastic description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection false_positives: [] from: now-180s id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 immutable: false index: - winlogbeat-* interval: 2m language: kuery max_signals: 100 name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: source.ip type: ip risk_score: 30 risk_score_mapping: [] rule_id: liv-win-ser-logins setup: '' severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threat: [] threshold: field: source.ip value: 20 to: now type: threshold updated_at: '2020-07-22T10:27:23.673Z' updated_by: elastic version: 1 example4: description: Example response for an EQL rule summary: EQL rule response value: author: [] created_at: '2020-10-05T09:06:16.392Z' created_by: elastic description: Unusual rundll32.exe network connection enabled: true exceptions_list: [] false_positives: [] from: now-6m id: 93808cae-b05b-4dc9-8479-73574b50f8b1 immutable: false interval: 5m language: eql max_signals: 100 name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.type type: keyword - ecs: true name: process.args type: keyword - ecs: true name: process.args_count type: long - ecs: true name: process.entity_id type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.pe.original_file_name type: keyword risk_score: 21 risk_score_mapping: [] rule_id: eql-outbound-rundll32-connections setup: '' severity: low severity_mapping: [] tags: - EQL - Windows - rundll32.exe threat: [] throttle: no_actions to: now type: eql updated_at: '2020-10-05T09:06:16.403Z' updated_by: elastic version: 1 example5: description: Example response for an indicator match rule summary: Indicator match rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Checks for bad IP addresses listed in the ip-threat-list index enabled: true exceptions_list: [] false_positives: [] from: now-6m id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 immutable: false index: - packetbeat-* interval: 5m language: kuery max_signals: 100 name: Bad IP threat match query: destination.ip:* or host.ip:* references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: destination.ip type: ip - ecs: true name: destination.port type: long - ecs: true name: host.ip type: ip risk_score: 50 risk_score_mapping: [] rule_id: 608501e4-c768-4f64-9326-cec55b5d439b setup: '' severity: medium severity_mapping: [] tags: [] threat: [] threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' to: now type: threat_match updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example6: description: Example response for a new terms rule summary: New terms rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Detects a user associated with a new IP address enabled: true exceptions_list: [] false_positives: [] from: now-6m history_window_start: now-30d id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 immutable: false index: - auditbeat* interval: 5m language: kuery max_signals: 100 name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: user.id type: keyword - ecs: true name: source.ip type: ip risk_score: 21 risk_score_mapping: [] rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 setup: '' severity: medium severity_mapping: [] tags: [] threat: [] to: now type: new_terms updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example7: description: Example response for an Esql rule summary: Esql rule response value: actions: [] author: [] created_at: '2023-10-18T10:55:14.269Z' created_by: elastic description: Find Excel events enabled: false exceptions_list: [] false_positives: [] from: now-360s id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 immutable: false interval: 5m language: esql max_signals: 100 name: Find Excel events output_index: '' query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.parent.name type: keyword revision: 0 risk_score: 21 risk_score_mapping: [] rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: esql updated_at: '2023-10-18T10:55:14.269Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Create a detection rule tags: - Security Detections API x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: UpdateRule requestBody: content: application/json: examples: example1: summary: Update query rule value: description: A new description id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: A new name for the rule risk_score: 22 severity: medium type: query example2: summary: Update EQL rule value: description: eql rule test id: 9b684efb-acf9-4323-9bff-8335b3867d14 index: - apm-*-transaction* language: eql name: New name for EQL rule query: process where process.name == "regsvr32.exe" risk_score: 21 severity: low type: eql example3: summary: Update threshold rule value: description: Description of threat rule test id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 language: kuery name: New name for threat rule query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' risk_score: 21 severity: low tags: - new_tag threshold: cardinality: [] field: [] value: 400 type: threshold example4: summary: Update new terms rule value: description: New description history_window_start: now-7d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 interval: 5m name: New terms rule name new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name query: 'agent.version : "9.1.0"' risk_score: 21 severity: low type: new_terms example5: summary: Update esql rule value: description: New description for esql rule id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd language: esql name: New name for esql rule query: | FROM logs* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ | KEEP event_rate risk_score: 21 severity: low type: esql example6: summary: Update indicator match rule value: description: New description id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd name: New name for Indicator Match rule query: source.ip:* or destination.ip:*\n risk_score: 99 severity: critical threat_index: - filebeat-* - logs-ti_* threat_mapping: - entries: - field: source.ip type: mapping value: threat.indicator.ip - entries: - field: destination.ip type: mapping value: threat.indicator.ip threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' type: threat_match example7: summary: Update machine learning rule value: anomaly_threshold: 50 description: New description of ml rule id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events_ea name: New name of ml rule risk_score: 21 severity: low type: machine_learning schema: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' description: | > info > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Update a detection rule tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/_bulk_action: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PerformRulesBulkAction parameters: - description: | Enables dry run mode for the request call. Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. > info > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. in: query name: dry_run required: false schema: type: boolean requestBody: content: application/json: examples: example01: description: The following request activates all rules with the test tag. summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example02: description: The following request enables the rule with the specified ID. summary: Enable - Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example03: description: The following request disables the rule with the specified ID. summary: Disable - Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example04: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: include_exceptions: true include_expired_exceptions: false ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf example05: description: The following request deletes the rule with the specified ID. summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example06: description: The following request runs the rule with the specified ID within the given date range. summary: Run - Run a specific rule by ID value: action: run ids: - 748694f0-6977-4ea5-8384-cd2e39730779 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' example07: description: The following request exports the rules with the specified IDs. summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example08: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true summary: Edit - dry run - Validate add_index_patterns bulk action value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example09: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. summary: Edit - Add a tag to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: - type: delete_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: - type: delete_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: - type: set_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. summary: Edit - Add investigation field to rules value: action: edit edit: - type: add_investigation_fields value: field_names: - alert.status ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: - type: delete_investigation_fields ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba value: - field1 - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: - type: set_investigation_fields value: - field1 - field2 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: - type: set_timeline value: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: - type: set_schedule value: interval: 1h lookback: 30m ids: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: - type: add_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: - type: set_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The message body subject: Subject to: address@domain.com ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The content of the message ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example27: description: The following request set alert suppression to the rules with the specified IDs. summary: Edit - Set alert suppression to rules (idempotent) value: action: edit edit: - type: set_alert_suppression value: duration: unit: h value: 1 group_by: - source.ip missing_fields_strategy: suppress ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example28: description: The following request set alert suppression to threshold rules with the specified IDs. summary: Edit - Set alert suppression to threshold rules (idempotent) value: action: edit edit: - type: set_alert_suppression_for_threshold value: duration: unit: h value: 1 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example29: description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. summary: Edit - Removes alert suppression from rules (idempotent) value: action: edit edit: - type: delete_alert_suppression ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example30: description: The following request triggers the filling of gaps for the specified rule ids and time range summary: Fill Gaps - Manually trigger the filling of gaps for specified rules value: action: fill_gaps ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 164d0918-f720-4c9f-9f5c-c5122587cf19 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json: examples: example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. summary: Successful response value: attributes: results: created: [] deleted: [] skipped: - id: 51658332-a15e-4c9e-912a-67214e2e2359 name: Skipped rule skip_reason: RULE_NOT_MODIFIED updated: - anomaly_threshold: 50 author: - Elastic created_at: '2022-02-21T14:14:13.801Z' created_by: elastic description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. from: now-45m id: 8bc7dad0-9320-11ec-9265-8b772383a08d immutable: false interval: 15m license: Elastic License v2 machine_learning_job_id: - packetbeat_dns_tunneling_ea max_signals: 100 name: DNS Tunneling [Duplicate] references: - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem related_integrations: [] required_fields: [] risk_score: 21 risk_score_mapping: [] rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 setup: '' severity: low severity_mapping: [] tags: - Elastic - Network - Threat Detection - ML threat: [] to: now type: machine_learning updated_at: '2022-02-21T17:05:50.883Z' updated_by: elastic version: 6 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 1 success: true example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). summary: Partial failure value: value: attributes: errors: - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property rules: - id: 8bc7dad0-9320-11ec-9265-8b772383a08d name: DNS Tunneling [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: - actions: [] author: - Elastic created_at: '2022-02-21T14:14:17.883Z' created_by: elastic description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 8e5c1a40-9320-11ec-9265-8b772383a08d immutable: false index: - apm-*-transaction* - traces-apm* - auditbeat-* - filebeat-* - logs-* - packetbeat-* - winlogbeat-* - added-by-id-* interval: 5m language: kuery license: Elastic License v2 max_signals: 10000 name: External Alerts [Duplicate] query: | event.kind:alert and not event.module:(endgame or endpoint) references: [] related_integrations: [] required_fields: [] risk_score: 47 risk_score_mapping: - field: event.risk_score operator: equals value: '' rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 rule_name_override: message setup: '' severity: medium severity_mapping: - field: event.severity operator: equals severity: low value: '21' - field: event.severity operator: equals severity: medium value: '47' - field: event.severity operator: equals severity: high value: '73' - field: event.severity operator: equals severity: critical value: '99' tags: - Elastic - Network - Windows - APM - macOS - Linux threat: [] timestamp_override: event.ingested to: now type: query updated_at: '2022-02-21T16:56:22.818Z' updated_by: elastic version: 5 summary: failed: 1 skipped: 0 succeeded: 1 total: 2 message: Bulk edit partially failed rules_count: 2 status_code: 500 success: false example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. summary: Dry run value: attributes: errors: - err_code: IMMUTABLE message: Elastic rule can't be edited rules: - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 name: Unusual AWS Command for a User status_code: 500 - err_code: MACHINE_LEARNING_INDEX_PATTERN message: Machine learning rule doesn't have index patterns rules: - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a name: Suspicious Powershell Script [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: [] summary: failed: 2 skipped: 0 succeeded: 1 total: 3 message: Bulk edit partially failed status_code: 500 example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. summary: Set tags successsully for 2 rules value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: [] author: [] created_at: '2025-03-25T11:46:41.899Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 738112cd-6cfa-414a-8457-2a658845d6ba immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 1 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 1 risk_score: 21 risk_score_mapping: [] rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] to: now type: query updated_at: '2025-03-25T11:47:11.350Z' updated_by: elastic version: 2 - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 2 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 33 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:47:11.357Z' updated_by: elastic version: 24 summary: failed: 0 skipped: 0 succeeded: 2 total: 2 rules_count: 2 success: true example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. summary: Idempotent behavior of set_tags value: attributes: results: created: [] deleted: [] skipped: - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b name: Rule 1 skip_reason: RULE_NOT_MODIFIED - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Rule 2 skip_reason: RULE_NOT_MODIFIED updated: [] summary: failed: 0 skipped: 2 succeeded: 0 total: 2 rules_count: 2 success: true example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. summary: Idempotent behavior of add_tags value: attributes: results: created: [] deleted: [] skipped: - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Test Rule 2 skip_reason: RULE_NOT_MODIFIED updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 34 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:55:12.752Z' updated_by: elastic version: 25 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 2 success: true example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. summary: Non-idempotent behavior for set_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 39 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T12:17:40.528Z' updated_by: elastic version: 30 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. summary: Non-idempotent behavior for add_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 0309347e-3954-429c-9168-5da2663389af - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd author: [] created_at: '2025-04-02T12:42:03.400Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Jacek test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 2 risk_score: 21 risk_score_mapping: [] rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: query updated_at: '2025-04-02T12:51:40.215Z' updated_by: elastic version: 2 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' description: OK summary: Apply a bulk action to detection rules tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/_export: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - Actions - Exception lists > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. in: query name: exclude_export_details required: false schema: default: false type: boolean - description: | File name for saving the exported rules. > info > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. in: query name: file_name required: false schema: default: export.ndjson type: string requestBody: content: application/json: schema: nullable: true type: object properties: objects: description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. items: type: object properties: rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - rule_id type: array required: - objects required: false responses: '200': content: application/ndjson: schema: description: | An `.ndjson` file containing the returned rules. Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. format: binary type: string description: Indicates a successful call. summary: Export detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "objects": [ { "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, { "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" } ] } x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - in: query name: fields required: false schema: items: type: string type: array - description: | Search query Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: - name - enabled - tags - createdBy - interval - updatedBy > info > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Detections_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Rules per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: Gaps range start in: query name: gaps_range_start required: false schema: type: string - description: Gaps range end in: query name: gaps_range_end required: false schema: type: string - description: Gap fill statuses in: query name: gap_fill_statuses required: false schema: items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array - description: Gap auto fill scheduler ID used to determine gap fill status for rules in: query name: gap_auto_fill_scheduler_id required: false schema: type: string responses: '200': content: application/json: examples: example1: value: data: - created_at: '2020-02-02T10:05:19.613Z' created_by: elastic description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 89761517-fdb0-4223-b67b-7621acc48f9e immutable: true index: - winlogbeat-* interval: 5m language: kuery max_signals: 33 name: Windows Script Executing PowerShell query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.action type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc setup: '' severity: low tags: - Elastic - Windows threat: - framework: MITRE ATT&CK tactic: id: TA0002 name: Execution reference: https://attack.mitre.org/tactics/TA0002/ technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193/ to: now type: query updated_at: '2020-02-02T10:05:19.830Z' updated_by: elastic page: 1 perPage: 5 total: 4 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array page: type: integer perPage: type: integer total: type: integer warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array required: - page - perPage - total - data description: | Successful response > info > These fields are under development and their usage or schema may change: execution_summary. summary: List all detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/_import: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - A link to the `.ndjson` file containing the rules. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. > info > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ImportRules parameters: - description: Determines whether existing rules with the same `rule_id` are overwritten. in: query name: overwrite required: false schema: default: false type: boolean - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. in: query name: overwrite_exceptions required: false schema: default: false type: boolean - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. in: query name: overwrite_action_connectors required: false schema: default: false type: boolean - description: Generates a new list ID for each imported exception list. in: query name: as_new_list required: false schema: default: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: The `.ndjson` file containing the rules. format: binary type: string required: true responses: '200': content: application/json: examples: example1: summary: Import rules with success value: errors: [] exceptions_errors: [] exceptions_success: true exceptions_success_count: 0 rules_count: 1 success: true success_count: 1 schema: additionalProperties: false type: object properties: action_connectors_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array action_connectors_success: type: boolean action_connectors_success_count: minimum: 0 type: integer action_connectors_warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_success: type: boolean exceptions_success_count: minimum: 0 type: integer rules_count: minimum: 0 type: integer success: type: boolean success_count: minimum: 0 type: integer required: - exceptions_success - exceptions_success_count - exceptions_errors - rules_count - success - success_count - errors - action_connectors_errors - action_connectors_warnings - action_connectors_success - action_connectors_success_count description: Indicates a successful call. summary: Import detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "/api/detection_engine/rules/_import" -u : -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@" x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/{id}/exceptions: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create exception items that apply to a single detection rule. operationId: CreateRuleExceptionListItems parameters: - description: Detection rule's identifier examples: id: value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_UUID' requestBody: content: application/json: schema: example: items: - description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: items: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' type: array required: - items description: Rule exception items. required: true responses: '200': content: application/json: examples: ruleExceptionItems: value: - _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array description: Successful response '400': content: application/json: examples: badPayload: value: error: Bad Request message: Invalid request payload JSON format statusCode: 400 badRequest: value: error: Bad Request message: '[request params]: id: Invalid uuid' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create rule exception items tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/prepackaged: put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/detection_engine/rules/prepackaged
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install and update all Elastic prebuilt detection rules and Timelines. This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. When you call this endpoint, it will: - Install any new prebuilt detection rules that are not currently installed in your system. - Update any existing prebuilt detection rules that have been modified or improved by Elastic. - Install any new prebuilt Timelines that are not currently installed in your system. - Update any existing prebuilt Timelines that have been modified or improved by Elastic. This ensures that your detection engine is always up-to-date with the latest rules and Timelines, providing you with the most current and effective threat detection capabilities. operationId: InstallPrebuiltRulesAndTimelines responses: '200': content: application/json: examples: example1: value: rules_installed: 112 rules_updated: 0 timelines_installed: 5 timelines_updated: 2 schema: additionalProperties: false type: object properties: rules_installed: description: The number of rules installed minimum: 0 type: integer rules_updated: description: The number of rules updated minimum: 0 type: integer timelines_installed: description: The number of timelines installed minimum: 0 type: integer timelines_updated: description: The number of timelines updated minimum: 0 type: integer required: - rules_installed - rules_updated - timelines_installed - timelines_updated description: Indicates a successful call summary: Install prebuilt detection rules and Timelines tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/prepackaged/_status: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the status of all Elastic prebuilt detection rules and Timelines. This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. operationId: ReadPrebuiltRulesAndTimelinesStatus responses: '200': content: application/json: examples: example1: value: rules_custom_installed: 0 rules_installed: 0 rules_not_installed: 112 rules_not_updated: 0 timelines_installed: 0 timelines_not_installed: 0 timelines_not_updated: 0 schema: additionalProperties: false type: object properties: rules_custom_installed: description: The total number of custom rules minimum: 0 type: integer rules_installed: description: The total number of installed prebuilt rules minimum: 0 type: integer rules_not_installed: description: The total number of available prebuilt rules that are not installed minimum: 0 type: integer rules_not_updated: description: The total number of outdated prebuilt rules minimum: 0 type: integer timelines_installed: description: The total number of installed prebuilt timelines minimum: 0 type: integer timelines_not_installed: description: The total number of available prebuilt timelines that are not installed minimum: 0 type: integer timelines_not_updated: description: The total number of outdated prebuilt timelines minimum: 0 type: integer required: - rules_custom_installed - rules_installed - rules_not_installed - rules_not_updated - timelines_installed - timelines_not_installed - timelines_not_updated description: Indicates a successful call summary: Retrieve the status of prebuilt detection rules and Timelines tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/rules/preview: post: operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution in: query name: enable_logged_requests required: false schema: type: boolean requestBody: content: application/json: schema: anyOf: - allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: schema: type: object properties: isAborted: type: boolean logs: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' type: array previewId: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - logs description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Preview rule alerts generated on specified time range tags: - Security Detections API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/detection_engine/signals/assignees: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/assignees
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Assign users to detection alerts, and unassign them from alerts. > info > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: application/json: examples: add: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' remove: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' required: true responses: '200': content: application/ndjson: examples: add: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: - bulk: 0, - search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 76, total: 1, updated: 1, version_conflicts: 0, description: Indicates a successful call. '400': description: Invalid request. summary: Assign and unassign users from detection alerts tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/finalize_migration: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/finalize_migration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it. operationId: FinalizeAlertsMigration requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to finalize. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to finalize required: true responses: '200': content: application/json: examples: success: value: migrations: - completed: true destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Finalize detection alert migrations tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/migration: delete: deprecated: true description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/detection_engine/signals/migration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted. While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation. operationId: AlertsMigrationCleanup requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to cleanup. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to cleanup required: true responses: '200': content: application/json: examples: success: value: migrations: - destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Clean up detection alert migrations tags: - Security Detections API x-metaTags: - content: Kibana name: product_name post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/migration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. operationId: CreateAlertsMigration requestBody: content: application/json: examples: singleIndex: value: index: - .siem-signals-default-000001 schema: allOf: - type: object properties: index: description: Array of index names to migrate. items: format: nonempty minLength: 1 type: string minItems: 1 type: array required: - index - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' description: Alerts migration parameters required: true responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000001, migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d migration_index: .siem-signals-default-000001-r000016 schema: type: object properties: indices: items: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Initiate a detection alert migration tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/migration_status: get: deprecated: true description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/signals/migration_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts in: query name: from required: true schema: description: | Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). example: now-30d format: date-math type: string responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000002 is_outdated: true migrations: - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d status: pending updated: '2021-01-06T20:41:37.173Z' version: 16 signal_versions: - count: 100 version: 15 - count: 87 version: 16 version: 15 - index: .siem-signals-default-000003 is_outdated: false migrations: [] signal_versions: - count: 54 version: 16 version: 16 schema: type: object properties: indices: items: $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Retrieve the status of detection alert migrations tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/search: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: application/json: examples: query: value: aggs: alertsByGrouping: terms: field: host.name size: 10 missingFields: missing: field: host.name query: bool: filter: - bool: filter: - match_phrase: kibana.alert.workflow_status: open must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] - range: '@timestamp': gte: '2025-01-17T08:00:00.000Z' lte: '2025-01-18T07:59:59.999Z' runtime_mappings: {} size: 0 schema: $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' description: Elasticsearch query and aggregation request description: Search and/or aggregation query required: true responses: '200': content: application/json: examples: success: value: _shards: failed: 0 skipped: 0 successful: 1 total: 1 aggregations: alertsByGrouping: buckets: - doc_count: 5 key: Host-f43kkddfyc doc_count_error_upper_bound: 0 sum_other_doc_count: 0 missingFields: doc_count: 0 hits: hits: [] max_score: null total: relation: eq value: 5 timed_out: false took: 0 schema: additionalProperties: true description: Elasticsearch search response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Find and/or aggregate detection alerts tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/status: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: application/json: examples: byId: value: signal_ids: - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 status: closed byQuery: value: conflicts: proceed query: bool: filter: - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null - bool: filter: bool: filter: - match_phrase: kibana.alert.workflow_status: open - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] must: [] must_not: [] should: [] status: closed schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' description: An object containing desired status and explicit alert ids or a query to select alerts required: true responses: '200': content: application/json: examples: byId: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 81 total: 1 updated: 1 version_conflicts: 0 byQuery: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 100 total: 17 updated: 17 version_conflicts: 0 schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Set a detection alert status tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/signals/tags: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. And tags to detection alerts, and remove them from alerts. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: content: application/json: examples: add: $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' remove: $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: examples: success: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: bulk: 0, search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 68, total: 1, updated: 1, version_conflicts: 0, schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Add and remove detection alert tags tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/detection_engine/tags: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all unique tags from all detection rules. operationId: ReadTags responses: '200': content: application/json: examples: example1: value: - zeek - suricata - windows - linux - network - initial access - remote access - phishing schema: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' description: Indicates a successful call summary: List all detection rule tags tags: - Security Detections API x-metaTags: - content: Kibana name: product_name /api/encrypted_saved_objects/_rotate_key: post: description: | Superuser role required. If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: rotateEncryptionKey parameters: - description: | Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. in: query name: batch_size required: false schema: default: 10000 type: number - description: | Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. in: query name: type required: false schema: type: string responses: '200': content: application/json: examples: rotateEncryptionKeyResponse: $ref: '#/components/examples/Saved_objects_key_rotation_response' schema: type: object properties: failed: description: | Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. type: number successful: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. type: number total: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. type: number description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request '429': content: application/json: schema: type: object description: Already in progress. summary: Rotate a key for encrypted saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/endpoint_list: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint_list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. operationId: CreateEndpointList responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an Elastic Endpoint rule exception list tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name /api/endpoint_list/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: DeleteEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Delete an Elastic Endpoint exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: ReadEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. operationId: CreateEndpointListItem requestBody: content: application/json: schema: type: object properties: comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '409': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item already exists '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: UpdateEndpointListItem requestBody: content: application/json: schema: type: object properties: _version: type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Update an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name /api/endpoint_list/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint_list/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all Elastic Endpoint exception list items. operationId: FindEndpointListItems parameters: - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: The page number to return in: query name: page required: false schema: minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: minimum: 0 type: integer - description: Determines which field is used to sort the results in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc type: string responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get Elastic Endpoint exception list items tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana name: product_name /api/endpoint/action: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all response actions. operationId: EndpointGetActionsList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: commands required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - in: query name: agentIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - in: query name: userIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - in: query name: startDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - in: query name: endDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - in: query name: agentTypes required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - in: query name: withOutputs required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - in: query name: types required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status of response actions for the specified agent IDs. operationId: EndpointGetActionsStatus parameters: - in: query name: query required: true schema: type: object properties: agent_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' description: OK summary: Get response actions status tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/{action_id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a response action using the action ID. operationId: EndpointGetActionsDetails parameters: - in: path name: action_id required: true schema: description: The ID of the action to retrieve. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' description: OK summary: Get action details tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/{action_id}/file/{file_id}: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information for the specified response action file download. operationId: EndpointFileInfo parameters: - in: path name: action_id required: true schema: type: string - description: | The file identifier is constructed in one of two ways: - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: `{file_id}` = `{action_id}.{agent_id}` - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. in: path name: file_id required: true schema: type: string responses: '200': content: application/json: schema: properties: data: type: object properties: actionId: type: string agentId: type: string agentType: type: string created: format: date-time type: string id: type: string mimeType: type: string name: type: string size: type: number status: enum: - AWAITING_UPLOAD - UPLOADING - READY - UPLOAD_ERROR - DELETED type: string description: OK summary: Get file information tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/{action_id}/file/{file_id}/download: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. > info > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. operationId: EndpointFileDownload parameters: - in: path name: action_id required: true schema: type: string - description: | The file identifier is constructed in one of two ways: - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: `{file_id}` = `{action_id}.{agent_id}` - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. in: path name: file_id required: true schema: type: string responses: '200': content: application/octet-stream: schema: format: binary type: string description: OK summary: Download a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a running or pending response action (Applies only to some agent types). operationId: CancelAction requestBody: content: application/json: examples: MicrosoftDefenderEndpoint: summary: Cancel a response action on a Microsoft Defender for Endpoint host value: agent_type: microsoft_defender_endpoint comment: Cancelling action due to change in requirements endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Successfully cancelled the response action summary: Cancel a response action tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a shell command on an endpoint. operationId: EndpointExecuteAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/get_file: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/get_file
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a file from an endpoint. operationId: EndpointGetFileAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/isolate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/isolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Isolate an endpoint from the network. The endpoint remains isolated until it's released. operationId: EndpointIsolateAction requestBody: content: application/json: examples: multiple_endpoints: summary: Isolates several hosts; includes a comment value: comment: Locked down, pending further investigation endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a single_endpoint: summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 with_case_id: summary: Isolates a single host with a case_id value of 1234 value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Isolating as initial response endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/kill_process: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/kill_process
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Terminate a running process on an endpoint. operationId: EndpointKillProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/memory_dump: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/memory_dump
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generates memory dumps on the targeted host. operationId: EndpointGenerateMemoryDump requestBody: content: application/json: examples: ProcessMemoryDump: summary: Generate a memory dump from the host machine value: agent_type: endpoint comment: Generating memory dump for investigation endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 type: process schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' required: true responses: '200': content: application/json: examples: MemoryDumpSuccessResponse: summary: Memory dump action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: memory-dump createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: entity_id: abc123 type: process startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Action request was successfully created summary: Generate a memory dump from the host machine tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/running_procs: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/running_procs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all processes running on an endpoint. operationId: EndpointGetProcessesAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/runscript: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/runscript
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a script on a host. Currently supported only for some agent types. operationId: RunScriptAction requestBody: content: application/json: examples: Elastic Defend: description: Endpoint runscript to collect logs summary: Run a script against an Elastic Defend agent value: agent_type: endpoint endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--path= /usr/log/exec.log' MDE: description: Microsoft Defender Endpoint runscript summary: Run a script against a Microsoft Defender Endpoint agent value: agent_type: microsoft_defender_endpoint endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: args: '-param1 value1 -param2 value2' scriptName: my-script.ps1 SentinelOne: description: SentinelOne runscript summary: Run a script against a SentinelOne agent value: agent_type: sentinel_one endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Action request was successfully created summary: Run a script tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/scan: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/scan
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Scan a specific file or directory on an endpoint for malware. operationId: EndpointScanAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/state: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/state
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a response actions state, which reports whether encryption is enabled. operationId: EndpointGetActionsState responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' description: OK summary: Get actions state tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/suspend_process: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/suspend_process
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Suspend a running process on an endpoint. operationId: EndpointSuspendProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/unisolate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/unisolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Release an isolated endpoint, allowing it to rejoin a network. operationId: EndpointUnisolateAction requestBody: content: application/json: examples: multipleHosts: summary: 'Releases several hosts; includes a comment:' value: comment: Benign process identified, releasing group endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a singleHost: summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 withCaseId: summary: Releases hosts with an associated case; includes a comment. value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Remediation complete, restoring network endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/action/upload: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/upload
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upload a file to an endpoint. operationId: EndpointUploadAction requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/metadata: get: operationId: GetEndpointMetadataList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - in: query name: hostStatuses required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' description: OK summary: Get a metadata list tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/metadata
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/endpoint/metadata/{id}: get: operationId: GetEndpointMetadata parameters: - in: path name: id required: true schema: example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' description: OK summary: Get metadata tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/metadata/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/endpoint/policy_response: get: operationId: GetPolicyResponse parameters: - in: query name: query required: true schema: type: object properties: agentId: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get a policy response tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/policy_response
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/endpoint/protection_updates_note/{package_policy_id}: get: operationId: GetProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Get a protection updates note tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: CreateUpdateProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string requestBody: content: application/json: schema: type: object properties: note: type: string required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Create or update a protection updates note tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/endpoint/scripts_library: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a list of scripts operationId: EndpointScriptLibraryListScripts parameters: - description: Page number of the results to return. Defaults to 1. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - description: Number of results to return per page. Defaults to 10. Max value is 1000. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - description: The field to sort the results by. Defaults to name. in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - description: The direction to sort the results by. Defaults to asc (ascending). in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' - description: | A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. in: query name: kuery required: false schema: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - example: platform:windows responses: '200': content: application/json: examples: response: summary: List of scripts response example value: data: [] page: 1 pageSize: 10 sortDirection: asc sortField: name total: 100 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' type: array page: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' pageSize: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' sortDirection: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' sortField: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' total: description: The total number of scripts matching the query type: integer description: List of scripts response summary: Get a list of scripts tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/scripts_library
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new script entry by uploading a script file operationId: EndpointScriptLibraryCreateScript requestBody: content: multipart/form-data: examples: CreateArchiveScriptEntry: summary: Create an archive script entry value: description: Collects host data for investigation example: ./collect_host_data.sh --help file: ./collect_host_data.zip fileType: archive instructions: Collects host data for investigation name: Collect host data pathToExecutable: ./bin/collect_host_data.sh platform: - linux - macos requiresInput: false CreateScriptEntry: summary: Create a script entry value: description: Collects host data for investigation example: ./collect_host_data.sh --help file: ./collect_host_data.sh fileType: script instructions: Collects host data for investigation name: Collect host data platform: - linux - macos requiresInput: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' required: true responses: '200': content: application/json: examples: CreateScriptEntrySuccess: summary: Create a script entry value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Action request was successfully created summary: Create script tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/scripts_library/{script_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a script operationId: EndpointScriptLibraryDeleteScript parameters: - description: The ID of the script entry to be deleted. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry to be deleted. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: response: summary: Delete script response example. value: null schema: type: object description: Delete script response. summary: Delete a scripts tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a script operationId: EndpointScriptLibraryGetOneScript parameters: - description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: UpdateScriptEntrySuccess: summary: Get one script entry success value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Get script response summary: Get script tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update (full or partial) a script entry operationId: EndpointScriptLibraryPatchUpdateScript parameters: - description: The ID of the script entry to be updated. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry to be updated. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string requestBody: content: multipart/form-data: examples: PatchUpdateScriptEntry: summary: Update script entry instructions value: instructions: ./collect_host_data.sh --help PatchUpdateScriptEntryFromArchiveToScript: summary: Update script entry from an archive to a script value: fileType: script PatchUpdateScriptEntryToArchive: summary: Update script entry to be an archive value: fileType: archive pathToExecutable: ./bin/collect_host_data.sh schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' required: true responses: '200': content: application/json: examples: UpdateScriptEntrySuccess: summary: Update script entry success value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Action request was successfully updated summary: Update script tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/endpoint/scripts_library/{script_id}/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download a script file operationId: EndpointScriptLibraryDownloadScript parameters: - description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/octet-stream: examples: response: summary: Download script file response example. value: null schema: description: A download stream is returned. format: binary type: object description: Download script file response. summary: Download a script file tags: - Security Endpoint Management API x-metaTags: - content: Kibana name: product_name /api/entity_analytics/monitoring/engine/delete: delete: operationId: DeleteMonitoringEngine parameters: - description: Whether to delete all the privileged user data in: query name: data required: false schema: default: false type: boolean responses: '200': content: application/json: schema: type: object properties: deleted: type: boolean required: - deleted description: Successful response summary: Delete the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/engine/disable: post: operationId: DisableMonitoringEngine responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Successful response summary: Disable the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/engine/init: post: operationId: InitMonitoringEngine responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Successful response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Internal Server Error summary: Initialize the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/engine/schedule_now: post: operationId: ScheduleMonitoringEngine responses: '200': content: application/json: schema: type: object properties: success: description: Indicates the scheduling was successful type: boolean description: Successful response '409': content: application/json: schema: type: object properties: message: description: Error message indicating the engine is already running type: string description: Conflict - Monitoring engine is already running summary: Schedule the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/privileges/health: get: operationId: PrivMonHealth responses: '200': content: application/json: schema: type: object properties: error: type: object properties: message: type: string required: - status status: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' users: description: User statistics for privilege monitoring type: object properties: current_count: description: Current number of privileged users being monitored type: integer max_allowed: description: Maximum number of privileged users allowed to be monitored type: integer required: - current_count - max_allowed required: - status description: Successful response summary: Health check on Privilege Monitoring tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/privileges/privileges: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check if the current user has all required permissions for Privilege Monitoring operationId: PrivMonPrivileges responses: '200': content: application/json: example: has_all_required: true privileges: elasticsearch: index: .entity_analytics.monitoring.user-default: read: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' description: Successful response summary: Run a privileges check on Privilege Monitoring tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/entity_analytics/monitoring/users: post: operationId: CreatePrivMonUser requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User created successfully summary: Create a new monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/users
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/users/_csv: post: operationId: PrivmonBulkUploadUsersCSV requestBody: content: multipart/form-data: schema: type: object properties: file: description: The CSV file to upload. format: binary type: string required: - file responses: '200': content: application/json: schema: example: errors: - index: 1 message: Invalid monitored field username: john.doe stats: failedOperations: 1 successfulOperations: 1 totalOperations: 2 uploaded: 1 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Upsert multiple monitored users via CSV upload tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/users/{id}: delete: operationId: DeletePrivMonUser parameters: - in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: type: object properties: acknowledged: description: Indicates if the deletion was successful type: boolean message: description: A message providing additional information about the deletion status type: string required: - success description: User deleted successfully summary: Delete a monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: UpdatePrivMonUser parameters: - in: path name: id required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User updated successfully summary: Update a monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/monitoring/users/list: get: operationId: ListPrivMonUsers parameters: - description: KQL query to filter the list of monitored users in: query name: kql required: false schema: type: string responses: '200': content: application/json: schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' type: array description: List of monitored users summary: List all monitored users tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/users/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/privileged_user_monitoring/pad/install: post: operationId: InstallPrivilegedAccessDetectionPackage responses: '200': content: application/json: schema: type: object properties: message: type: string required: - message description: Successful response summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/privileged_user_monitoring/pad/status: get: operationId: GetPrivilegedAccessDetectionPackageStatus responses: '200': content: application/json: schema: type: object properties: jobs: items: type: object properties: description: type: string job_id: type: string state: enum: - closing - closed - opened - failed - opening type: string required: - job_id - state type: array ml_module_setup_status: enum: - complete - incomplete type: string package_installation_status: enum: - complete - incomplete type: string required: - package_installation_status - ml_module_setup_status - jobs description: Privileged access detection status retrieved summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/watchlists: post: operationId: CreateWatchlist requestBody: content: application/json: examples: CreateWatchlistRequest: summary: Create watchlist request value: description: High risk vendor watchlist managed: false name: High Risk Vendors riskModifier: 1.5 CreateWatchlistWithSourcesRequest: summary: Create watchlist with entity sources value: description: High risk vendor watchlist entitySources: - enabled: true identifierField: user.name indexPattern: my-sync-index name: My User Index Source type: index managed: false name: High Risk Vendors riskModifier: 1.5 schema: type: object properties: description: description: Description of the watchlist type: string entitySources: description: Optional entity sources to create and link to the watchlist items: additionalProperties: false type: object properties: enabled: type: boolean filter: $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' identifierField: description: Field used to query the entity store for index-type sources type: string indexPattern: type: string integrationName: description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. type: string matchers: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' type: array name: type: string queryRule: description: KQL query used to filter data from the provided index patterns type: string range: $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' required: - type - name type: array managed: description: Indicates if the watchlist is managed by the system type: boolean name: description: Unique name for the watchlist type: string riskModifier: description: Risk score modifier associated with the watchlist maximum: 2 minimum: 0 type: number required: - name - riskModifier required: true responses: '200': content: application/json: examples: CreateWatchlistResponse: summary: Created watchlist value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-01-28T12:00:00.000Z' schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - type: object properties: entitySources: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' type: array description: Watchlist created successfully summary: Create a new watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/watchlists/{id}: get: operationId: GetWatchlist parameters: - description: Unique ID of the watchlist in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: GetWatchlistResponse: summary: Watchlist details value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' description: Watchlist details summary: Get a watchlist by ID tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/watchlists/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: UpdateWatchlist parameters: - description: The ID of the watchlist to update in: path name: id required: true schema: type: string requestBody: content: application/json: examples: UpdateWatchlistRequest: summary: Update watchlist request value: description: High risk vendor watchlist managed: false name: High Risk Vendors riskModifier: 1.5 schema: type: object properties: description: description: Description of the watchlist type: string managed: description: Indicates if the watchlist is managed by the system type: boolean name: description: Unique name of the watchlist type: string riskModifier: description: Risk score modifier associated with the watchlist maximum: 2 minimum: 0 type: number required: - name - riskModifier required: true responses: '200': content: application/json: examples: UpdateWatchlistResponse: summary: Updated watchlist value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' description: Watchlist updated successfully summary: Update an existing watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_analytics/watchlists/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row with a "type" column (user, host, service, or generic) and one or more ECS identity fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. Matched entities are added to the watchlist and their `entity.attributes.watchlists` field is updated in the entity store. Each row will match up to 10,000 entities. operationId: UploadWatchlistCsv parameters: - description: The ID of the watchlist to add entities to example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: multipart/form-data: examples: csvUpload: summary: CSV file with user entities value: file: | type,user.name user,john.doe user,jane.smith schema: type: object properties: file: description: The CSV file to upload. format: binary type: string required: - file required: true responses: '200': content: application/json: examples: CsvUploadResponse: summary: CSV upload response with mixed results value: failed: 1 items: - matchedEntities: 1 status: success - error: Invalid entity type matchedEntities: 0 status: failure - matchedEntities: 0 status: unmatched successful: 1 total: 3 unmatched: 1 schema: type: object properties: failed: description: Number of rows that failed to process example: 1 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' type: array successful: description: Number of rows that matched at least one entity example: 1 type: integer total: description: Total number of rows processed example: 3 type: integer unmatched: description: Number of rows that matched no entities example: 1 type: integer required: - successful - failed - total - unmatched - items description: Upload successful '413': description: File too large summary: Upload a CSV file to add entities to a watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Assigns the provided entities to the specified watchlist using a "manual" source label. The entities must already exist in the entity store. If an entity is already on the watchlist, no new document is created — the "manual" label is added to its existing source labels instead. operationId: AssignWatchlistEntities parameters: - description: The ID of the watchlist to add entities to example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: application/json: examples: assignEntities: summary: Assign two entities to a watchlist value: euids: - user:john.doe - host:web-01 schema: type: object properties: euids: description: The EUIDs of the entities to assign example: - user:john.doe - host:web-01 items: type: string type: array required: - euids required: true responses: '200': content: application/json: examples: assignEntitiesResponse: summary: Successful assignment of two entities value: failed: 0 items: - euid: user:john.doe status: success - euid: host:web-01 status: not_found not_found: 1 successful: 1 total: 2 schema: type: object properties: failed: description: Number of entities that failed to process example: 0 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' type: array not_found: description: Number of entities not found in the entity store example: 1 type: integer successful: description: Number of entities successfully assigned example: 1 type: integer total: description: Total number of entities processed example: 2 type: integer required: - successful - failed - not_found - total - items description: Assignment successful summary: Manually assign entities to a watchlist tags: - Security Entity Analytics API x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unassigns the provided entities from the specified watchlist. This only removes the "manual" assignment. If the entity is also assigned via other sources (for example, index or integration), it will remain on the watchlist. operationId: UnassignWatchlistEntities parameters: - description: The ID of the watchlist to remove entities from example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: application/json: examples: unassignEntities: summary: Unassign two entities from a watchlist value: euids: - user:john.doe - host:web-01 schema: type: object properties: euids: description: The EUIDs of the entities to unassign example: - user:john.doe - host:web-01 items: type: string type: array required: - euids required: true responses: '200': content: application/json: examples: unassignEntitiesResponse: summary: Successful unassignment of two entities value: failed: 0 items: - euid: user:john.doe status: success - euid: host:web-01 status: not_found not_found: 1 successful: 1 total: 2 schema: type: object properties: failed: description: Number of entities that failed to process example: 0 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' type: array not_found: description: Number of entities not found in the manual watchlist assignment example: 1 type: integer successful: description: Number of entities successfully unassigned example: 1 type: integer total: description: Total number of entities processed example: 2 type: integer required: - successful - failed - not_found - total - items description: Unassignment successful summary: Manually unassign entities from a watchlist tags: - Security Entity Analytics API x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/entity_analytics/watchlists/list: get: operationId: ListWatchlists responses: '200': content: application/json: examples: ListWatchlistsResponse: summary: List of watchlists value: - createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' - createdAt: '2026-01-10T09:30:00.000Z' description: Privileged user monitoring watchlist id: watchlist-456 managed: true name: Privileged Accounts riskModifier: 2 updatedAt: '2026-02-01T15:45:00.000Z' schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' type: array description: List of watchlists summary: List all watchlists tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/watchlists/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/exception_lists: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an exception list using the `id` or `list_id` field. operationId: DeleteExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. examples: autogeneratedId: value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 list_id: value: simple_list in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an exception list using the `id` or `list_id` field. operationId: ReadExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionType: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list details tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: detection type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' default: 1 required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: autogeneratedListId: value: _version: WzMsMV0= created_at: '2025-01-09T01:05:23.019Z' created_by: elastic description: This is a sample detection type exception with an autogenerated list_id. id: 28243c2f-624a-4443-823d-c0b894880931 immutable: false list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 type: detection updated_at: '2025-01-09T01:05:23.020Z' updated_by: elastic version: 1 namespaceAgnostic: value: _version: WzUsMV0= created_at: '2025-01-09T01:10:36.369Z' created_by: elastic description: This is a sample agnostic endpoint type exception. id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 immutable: false list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 name: Sample Agnostic Endpoint Exception List namespace_type: agnostic os_types: - linux tags: - malware tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 type: endpoint updated_at: '2025-01-09T01:10:36.369Z' updated_by: elastic version: 1 typeDetection: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 typeEndpoint: value: _version: WzQsMV0= created_at: '2025-01-09T01:07:49.658Z' created_by: elastic description: This is a sample endpoint type exception list. id: a79f4730-6e32-4278-abfc-349c0add7d54 immutable: false list_id: endpoint_list name: Sample Endpoint Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee type: endpoint updated_at: '2025-01-09T01:07:49.658Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an exception list using the `id` or `list_id` field. operationId: UpdateExceptionList requestBody: content: application/json: schema: example: description: Different description list_id: simple_list name: Updated exception list name os_types: - linux tags: - draft malware type: detection type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: simpleList: value: _version: WzExLDFd created_at: '2025-01-07T20:43:55.264Z' created_by: elastic description: Different description id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 immutable: false list_id: simple_list name: Updated exception list name namespace_type: single os_types: [] tags: - draft malware tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f type: detection updated_at: '2025-01-07T21:32:03.726Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/_duplicate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_duplicate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' example: true type: string responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzExNDY1LDFd created_at: '2025-01-09T16:19:50.280Z' created_by: elastic description: This is a sample detection type exception id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 immutable: false list_id: d6390d60-bce3-4a48-9002-52db600f329c name: Sample Detection Exception List [Duplicate] namespace_type: single os_types: [] tags: - malware tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 type: detection updated_at: '2025-01-09T16:19:50.280Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Duplicate an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. example: true in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' type: string responses: '200': content: application/ndjson: examples: exportSavedObjectsResponse: value: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: description: A `.ndjson` file containing specified exception list and its items format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: list_id: Required, namespace_type: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Export an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all exception list containers. operationId: FindExceptionLists parameters: - description: | Filters the returned results according to the value of the specified field. Uses the `so type.field name:field` value syntax, where `so type` can be: - `exception-list`: Specify a space-aware exception list. - `exception-list-agnostic`: Specify an exception list that is shared across spaces. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 1 type: integer - description: The number of exception lists to return per page in: query name: per_page required: false schema: example: 20 minimum: 1 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name type: string - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleLists: value: data: - _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception lists tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import an exception list and its associated items from an NDJSON file. operationId: ImportExceptionList parameters: - description: | Determines whether existing exception lists with the same `list_id` are overwritten. If any exception items have the same `item_id`, those are also overwritten. in: query name: overwrite required: false schema: default: false example: false type: boolean - description: | Determines whether the list being imported will have a new `list_id` generated. Additional `item_id`'s are generated for each exception item. Both the exception list and its items are overwritten. in: query name: as_new_list required: false schema: default: false example: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.ndjson` file containing the exception list example: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} format: binary type: string required: true responses: '200': content: application/json: examples: withErrors: value: errors: - error: message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' status_code: 400 list_id: (unknown list_id) - error: message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' status_code: 409 item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee success: false, success_count: 0, success_count_exception_list_items: 0 success_count_exception_lists: 0, success_exception_list_items: false, success_exception_lists: false, withoutErrors: value: errors: [] success: true success_count: 2 success_count_exception_list_items: 1 success_count_exception_lists: 1 success_exception_list_items: true success_exception_lists: true, schema: type: object properties: errors: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' success: type: boolean success_count: minimum: 0 type: integer success_count_exception_list_items: minimum: 0 type: integer success_count_exception_lists: minimum: 0 type: integer success_exception_list_items: type: boolean success_exception_lists: type: boolean required: - errors - success - success_count - success_exception_lists - success_count_exception_lists - success_exception_list_items - success_count_exception_list_items description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Import an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an exception list item using the `id` or `item_id` field. operationId: DeleteExceptionListItem parameters: - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleExceptionItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: example: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an exception list item using the `id` or `item_id` field. operationId: ReadExceptionListItem parameters: - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an exception item and associate it with the specified exception list. > info > Before creating exception items, you must create an exception list. operationId: CreateExceptionListItem requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' description: Exception list item's properties required: true responses: '200': content: application/json: examples: autogeneratedItemId: value: _version: WzYsMV0= comments: [] created_at: '2025-01-09T01:16:23.322Z' created_by: elastic description: This is a sample exception that has no item_id so it is autogenerated. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 323faa75-c657-4fa0-9084-8827612c207b item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Autogenerated Exception List Item ID namespace_type: single os_types: [] tags: - malware tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 type: simple updated_at: '2025-01-09T01:16:23.322Z' updated_by: elastic detectionExceptionListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withExistEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchAnyEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: included type: match value: Elastic N.V. id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withNestedEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - entries: - field: signer operator: included type: match value: Evil - field: trusted operator: included type: match value: true field: file.signature type: nested id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withValueListEntry: value: _version: WzcsMV0= comments: [] created_at: '2025-01-09T01:31:12.614Z' created_by: elastic description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list entries: - field: source.ip list: id: goodguys.txt type: ip operator: excluded type: list id: deb26876-297d-4677-8a1f-35467d2f1c4f item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Filter out good guys ip and agent.name rock01 namespace_type: single os_types: [] tags: - malware tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 type: simple updated_at: '2025-01-09T01:31:12.614Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request body]: list_id: Expected string, received number' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list item id: \"simple_list_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an exception list item using the `id` or `item_id` field. operationId: UpdateExceptionListItem requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' description: Exception list item's properties required: true responses: '200': content: application/json: examples: simpleListItem: value: _version: WzEyLDFd comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: Updated description entries: - field: host.name operator: included type: match value: rock01 id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Updated name namespace_type: single os_types: [] tags: [] tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all exception list items in the specified list. operationId: FindExceptionListItems parameters: - description: The `list_id`s of the items to fetch. in: query name: list_id required: true schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' type: array - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. examples: singleFilter: value: - exception-list.attributes.name:%My%20item in: query name: filter required: false schema: default: [] items: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: array - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: single: value: - single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - in: query name: search required: false schema: example: host.name type: string - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: example: 20 minimum: 0 type: integer - description: Determines which field is used to sort the results. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleListItems: value: data: - _version: WzgsMV0= comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: This is a sample exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - jupiter - saturn id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:12:25.512Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list items tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exception_lists/summary: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/summary
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a summary of the specified exception list. operationId: ReadExceptionListSummary parameters: - description: Exception list's identifier generated upon creation. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Exception list's human readable identifier. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single - description: Search filter clause in: query name: filter required: false schema: example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: summary: value: linux: 0 macos: 0 total: 0 windows: 0 schema: type: object properties: linux: minimum: 0 type: integer macos: minimum: 0 type: integer total: minimum: 0 type: integer windows: minimum: 0 type: integer description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list summary tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/exceptions/shared: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exceptions/shared
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateSharedExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' required: - name - description required: true responses: '200': content: application/json: examples: sharedList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create a shared exception list tags: - Security Exceptions API x-metaTags: - content: Kibana name: product_name /api/features: get: description: | Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. operationId: get-features responses: '200': content: application/json: examples: getFeaturesExample: value: | { "features": [ { "name": "tasks", "description": "Manages task results" }, { "name": "security", "description": "Manages configuration for Security features, such as users and roles" }, { "name": "searchable_snapshots", "description": "Manages caches and configuration for searchable snapshots" }, { "name": "logstash_management", "description": "Enables Logstash Central Management pipeline storage" }, { "name": "transform", "description": "Manages configuration and state for transforms" }, { "name": "kibana", "description": "Manages Kibana configuration and reports" }, { "name": "synonyms", "description": "Manages synonyms" }, { "name": "async_search", "description": "Manages results of async searches" }, { "name": "ent_search", "description": "Manages configuration for Enterprise Search features" }, { "name": "machine_learning", "description": "Provides anomaly detection and forecasting functionality" }, { "name": "geoip", "description": "Manages data related to GeoIP database downloader" }, { "name": "watcher", "description": "Manages Watch definitions and state" }, { "name": "fleet", "description": "Manages configuration for Fleet" }, { "name": "enrich", "description": "Manages data related to Enrich policies" }, { "name": "inference_plugin", "description": "Inference plugin for managing inference services and inference" } ] } schema: type: object description: Indicates a successful call summary: Get features tags: - system x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/fleet/agent_download_sources: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_download_sources
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. operationId: get-fleet-agent-download-sources parameters: [] responses: '200': content: application/json: examples: getDownloadSourcesExample: description: List of agent binary download sources value: items: - host: https://artifacts.elastic.co/downloads/ id: download-source-id-1 is_default: true name: Elastic Artifacts page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent binary download sources tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_download_sources
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDownloadSourceRequestExample: description: Create a new agent binary download source value: host: https://my-custom-host.example.com/downloads/ is_default: false name: My custom download source schema: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - name - host responses: '200': content: application/json: examples: postDownloadSourceExample: description: The created agent binary download source value: item: host: https://my-custom-host.example.com/downloads/ id: download-source-id-2 is_default: false name: My custom download source schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana name: product_name /api/fleet/agent_download_sources/{sourceId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the download source in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: examples: deleteDownloadSourceExample: description: The download source was successfully deleted value: id: download-source-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Agent binary source download-source-id-1 not found statusCode: 404 description: Not Found summary: Delete an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. operationId: get-fleet-agent-download-sources-sourceid parameters: - description: The ID of the download source in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: examples: getDownloadSourceExample: description: An agent binary download source value: item: host: https://artifacts.elastic.co/downloads/ id: download-source-id-1 is_default: true name: Elastic Artifacts schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Agent binary source download-source-id-1 not found statusCode: 404 description: Not Found summary: Get an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the download source in: path name: sourceId required: true schema: type: string requestBody: content: application/json: examples: putDownloadSourceRequestExample: description: Update an agent binary download source value: host: https://updated-host.example.com/downloads/ is_default: false name: Updated download source schema: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - name - host responses: '200': content: application/json: examples: putDownloadSourceExample: description: The updated agent binary download source value: item: host: https://updated-host.example.com/downloads/ id: download-source-id-1 is_default: false name: Updated download source schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Download source download-source-id-1 not found statusCode: 404 description: Not Found summary: Update an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: get-fleet-agent-policies parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: type: number - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - desc - asc type: string - description: When true, only show policies with upgradeable agents in: query name: showUpgradeable required: false schema: type: boolean - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: use withAgentCount instead in: query name: noAgentCount required: false schema: deprecated: true type: boolean - description: get policies with agent count in: query name: withAgentCount required: false schema: type: boolean - description: get full policies with package policies populated in: query name: full required: false schema: type: boolean - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getAgentPoliciesExample: description: List of agent policies value: items: - description: A sample agent policy id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Whether to add the system integration to the new agent policy in: query name: sys_monitoring required: false schema: type: boolean requestBody: content: application/json: examples: postAgentPolicyRequestExample: description: Create a new agent policy value: description: A sample agent policy monitoring_enabled: - logs - metrics name: My agent policy namespace: default schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array space_ids: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: examples: postAgentPolicyExample: description: The created agent policy value: item: description: A sample agent policy id: agent-policy-id-2 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/_bulk_get: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postBulkGetAgentPoliciesRequestExample: description: Retrieve multiple agent policies by ID value: ids: - agent-policy-id-1 - agent-policy-id-2 schema: additionalProperties: false type: object properties: full: description: get full policies with package policies populated type: boolean ids: description: list of package policy ids items: type: string maxItems: 1000 type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: examples: postBulkGetAgentPoliciesExample: description: The requested agent policies value: items: - id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: One or more agent policies were not found value: error: Not Found message: An error message describing what went wrong statusCode: 404 description: Not Found summary: Bulk get agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: get-fleet-agent-policies-agentpolicyid parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getAgentPolicyExample: description: An agent policy value: item: description: A sample agent policy id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: putAgentPolicyRequestExample: description: Update an agent policy value: description: An updated agent policy description monitoring_enabled: - logs name: Updated agent policy namespace: default schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string bumpRevision: type: boolean data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array space_ids: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: examples: putAgentPolicyExample: description: The updated agent policy value: item: description: An updated agent policy description id: agent-policy-id-1 is_managed: false is_protected: false name: Updated agent policy namespace: default revision: 2 status: active updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: examples: getAutoUpgradeAgentsStatusExample: description: Auto-upgrade status for agents in the policy value: agentsCount: 5 currentVersion: 8.16.0 failedAgentsCount: 0 upgradedAgentsCount: 3 upgradingAgentsCount: 1 schema: additionalProperties: false type: object properties: currentVersions: items: additionalProperties: false type: object properties: agents: description: Number of agents that upgraded to this version type: number failedUpgradeActionIds: description: List of action IDs related to failed upgrades items: type: string maxItems: 1000 type: array failedUpgradeAgents: description: Number of agents that failed to upgrade to this version type: number inProgressUpgradeActionIds: description: List of action IDs related to in-progress upgrades items: type: string maxItems: 1000 type: array inProgressUpgradeAgents: description: Number of agents that are upgrading to this version type: number version: description: Agent version type: string required: - version - agents - failedUpgradeAgents - inProgressUpgradeAgents maxItems: 10000 type: array totalAgents: type: number required: - currentVersions - totalAgents description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get auto upgrade agent status tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}/copy: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postCopyAgentPolicyRequestExample: description: Copy an agent policy with a new name value: description: A copy of the original agent policy name: Copy of my agent policy schema: additionalProperties: false type: object properties: description: type: string name: minLength: 1 type: string required: - name responses: '200': content: application/json: examples: postCopyAgentPolicyExample: description: The copied agent policy value: item: description: A copy of the original agent policy id: agent-policy-id-copy-1 is_managed: false is_protected: false name: Copy of my agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Copy an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: If true, returns the policy as a downloadable file in: query name: download required: false schema: type: boolean - description: If true, returns the policy formatted for standalone agents in: query name: standalone required: false schema: type: boolean - description: If true, returns the policy formatted for Kubernetes deployment in: query name: kubernetes required: false schema: type: boolean - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query name: revision required: false schema: type: number responses: '200': content: application/json: examples: getDownloadAgentPolicyExample: description: The agent policy download response value: item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: type: string description: Successful response — returns the agent policy as a YAML file download '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Download an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}/full: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: If true, returns the policy as a downloadable file in: query name: download required: false schema: type: boolean - description: If true, returns the policy formatted for standalone agents in: query name: standalone required: false schema: type: boolean - description: If true, returns the policy formatted for Kubernetes deployment in: query name: kubernetes required: false schema: type: boolean - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query name: revision required: false schema: type: number responses: '200': content: application/json: examples: getFullAgentPolicyExample: description: The full agent policy configuration value: item: agent: monitoring: logs: true metrics: true id: agent-policy-id-1 inputs: [] outputs: default: hosts: - https://elasticsearch.example.com:9200 type: elasticsearch revision: 1 schema: additionalProperties: false type: object properties: item: anyOf: - type: string - additionalProperties: false type: object properties: agent: additionalProperties: false type: object properties: download: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key sourceURI: type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string renegotiation: type: string verification_mode: type: string target_directory: type: string timeout: type: string required: - sourceURI features: additionalProperties: additionalProperties: false type: object properties: enabled: type: boolean required: - enabled type: object internal: {} limits: additionalProperties: false type: object properties: go_max_procs: type: number logging: additionalProperties: false type: object properties: files: additionalProperties: false type: object properties: interval: type: string keepfiles: type: number rotateeverybytes: type: number level: type: string metrics: additionalProperties: false type: object properties: period: type: string to_files: type: boolean monitoring: additionalProperties: false type: object properties: _runtime_experimental: type: string apm: {} diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number enabled: type: boolean http: additionalProperties: false type: object properties: enabled: type: boolean host: type: string port: type: number logs: type: boolean metrics: type: boolean namespace: type: string pprof: additionalProperties: false type: object properties: enabled: type: boolean required: - enabled traces: type: boolean use_output: type: string required: - enabled - metrics - logs - traces - apm protection: additionalProperties: false type: object properties: enabled: type: boolean signing_key: type: string uninstall_token_hash: type: string required: - enabled - uninstall_token_hash - signing_key required: - monitoring - download - features - internal connectors: additionalProperties: {} type: object exporters: additionalProperties: {} type: object extensions: additionalProperties: {} type: object fleet: anyOf: - additionalProperties: false type: object properties: hosts: items: type: string maxItems: 100 type: array proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string renegotiation: type: string verification_mode: type: string required: - hosts - additionalProperties: false type: object properties: kibana: additionalProperties: false type: object properties: hosts: items: type: string maxItems: 100 type: array path: type: string protocol: type: string required: - hosts - protocol required: - kibana id: type: string inputs: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields maxItems: 10000 type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream maxItems: 10000 type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id maxItems: 10000 type: array namespaces: items: type: string maxItems: 100 type: array output_permissions: additionalProperties: additionalProperties: {} type: object type: object outputs: additionalProperties: additionalProperties: true type: object properties: ca_sha256: nullable: true type: string hosts: items: type: string maxItems: 100 type: array proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string type: type: string required: - type type: object processors: additionalProperties: {} type: object receivers: additionalProperties: {} type: object revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10000 type: array service: additionalProperties: false type: object properties: extensions: items: type: string maxItems: 1000 type: array pipelines: additionalProperties: additionalProperties: false type: object properties: exporters: items: type: string maxItems: 1000 type: array processors: items: type: string maxItems: 1000 type: array receivers: items: type: string maxItems: 1000 type: array x-oas-optional: true type: object signed: additionalProperties: false type: object properties: data: type: string signature: type: string required: - data - signature required: - id - outputs - inputs required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get a full agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/{agentPolicyId}/outputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: examples: getAgentPolicyOutputsExample: description: Outputs associated with the agent policy value: item: data_output: id: output-id-1 name: Default output type: elasticsearch monitoring_output: id: output-id-1 name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string maxItems: 1000 type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get outputs for an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/delete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDeleteAgentPolicyRequestExample: description: Delete an agent policy by ID value: agentPolicyId: agent-policy-id-1 schema: additionalProperties: false type: object properties: agentPolicyId: description: The ID of the agent policy type: string force: description: bypass validation checks that can prevent agent policy deletion type: boolean required: - agentPolicyId responses: '200': content: application/json: examples: postDeleteAgentPolicyExample: description: The agent policy was successfully deleted value: id: agent-policy-id-1 name: My agent policy schema: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_policies/outputs: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postListAgentPolicyOutputsRequestExample: description: Get outputs for multiple agent policies value: ids: - agent-policy-id-1 - agent-policy-id-2 schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string maxItems: 1000 type: array required: - ids responses: '200': content: application/json: examples: postListAgentPolicyOutputsExample: description: Outputs associated with the requested agent policies value: items: - agent_policy_id: agent-policy-id-1 data_output: id: output-id-1 name: Default output type: elasticsearch monitoring_output: id: output-id-1 name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string maxItems: 1000 type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get outputs for agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/agent_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a summary of agent statuses for a given agent policy. operationId: get-fleet-agent-status parameters: - description: Filter by agent policy ID in: query name: policyId required: false schema: type: string - description: Filter by one or more agent policy IDs in: query name: policyIds required: false schema: items: type: string maxItems: 1000 type: array - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getAgentStatusExample: description: Agent status summary for an agent policy value: results: error: 1 offline: 2 online: 5 other: 0 updating: 0 totalInactive: 0 schema: additionalProperties: false type: object properties: results: additionalProperties: false type: object properties: active: type: number all: type: number error: type: number events: type: number inactive: type: number offline: type: number online: type: number orphaned: type: number other: type: number unenrolled: type: number uninstalled: type: number updating: type: number required: - events - online - error - offline - other - updating - inactive - unenrolled - all - active required: - results description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an agent status summary tags: - Elastic Agent status x-metaTags: - content: Kibana name: product_name /api/fleet/agent_status/data: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_status/data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agent-status-data parameters: - description: Agent IDs to check data for, as an array or comma-separated string in: query name: agentsIds required: true schema: items: type: string maxItems: 10000 type: array - description: Filter by integration package name in: query name: pkgName required: false schema: type: string - description: Filter by integration package version in: query name: pkgVersion required: false schema: type: string - description: When true, return a preview of the ingested data in: query name: previewData required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentDataExample: description: Data streams the agent is actively sending data to value: items: - data: logs-nginx.access-default: - id: agent-id-1 name: my-host total: 1 totalMonitoring: 0 schema: additionalProperties: false type: object properties: dataPreview: items: {} maxItems: 10000 type: array items: items: additionalProperties: additionalProperties: false type: object properties: data: type: boolean required: - data type: object maxItems: 10000 type: array required: - items - dataPreview description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get incoming agent data tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agentless_policies: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agentless_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an agentless policy operationId: post-fleet-agentless-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The format of the response package policy. in: query name: format required: false schema: default: simplified enum: - legacy - simplified type: string requestBody: content: application/json: examples: createAgentlessPoliciesRequestExample: description: Example request to create agentless policies value: description: test inputs: ESS Billing-cel: enabled: true streams: ess_billing.billing: enabled: true vars: hide_sensitive: true http_client_timeout: 30s lookbehind: 365 tags: - forwarded - billing ess_billing.credits: enabled: false vars: api_key: organization_id: '1234' name: ess_billing-1 namespace: default package: name: ess_billing version: 1.6.0 createAgentlessPoliciesReuseAWSCloudConnectorExample: description: Example request to create agentless policy reusing an existing AWS cloud connector value: cloud_connector: cloud_connector_id: existing-aws-connector-id target_csp: aws description: CSPM integration for AWS reusing existing cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector aws.supports_cloud_connectors: true external_id: id: ABCDEFGHIJKLMNOPQRST isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-reuse-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: aws posture: cspm createAgentlessPoliciesWithAWSCloudConnectorExample: description: Example request to create agentless policy with AWS cloud connector value: cloud_connector: target_csp: aws description: CSPM integration for AWS with cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector aws.supports_cloud_connectors: true external_id: id: ABCDEFGHIJKLMNOPQRST isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: aws posture: cspm createAgentlessPoliciesWithAzureCloudConnectorExample: description: Example request to create agentless policy with Azure cloud connector value: cloud_connector: target_csp: azure description: CSPM integration for Azure with cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: false cspm-cloudbeat/cis_azure: enabled: true streams: cloud_security_posture.findings: enabled: true vars: azure_credentials_cloud_connector_id: type: text value: existing-azure-credentials-connector-id azure.account_type: organization-account client_id: id: client-secret-id isSecretRef: true tenant_id: id: tenant-secret-id isSecretRef: true cspm-cloudbeat/cis_gcp: enabled: false name: cspm-azure-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: azure posture: cspm schema: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array cloud_connector: additionalProperties: false type: object properties: cloud_connector_id: description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. type: string enabled: default: false description: Whether cloud connectors are enabled for this policy. type: boolean name: description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. maxLength: 255 minLength: 1 type: string target_csp: description: Target cloud service provider. If not provided, will be auto-detected from inputs. enum: - aws - azure - gcp type: string description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 type: array id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_template: description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package responses: '200': content: application/json: examples: createAgentlessPoliciesResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: item: created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: test enabled: true id: d52a7812-5736-4fdc-aed8-72152afa1ffa inputs: ESS Billing-cel: enabled: true streams: ess_billing.billing: enabled: true vars: hide_sensitive: true http_client_timeout: 30s lookbehind: 365 tags: - forwarded - billing ess_billing.credits: enabled: false vars: api_key: id: QY1sWpoBbWcMW-edr0Ee isSecretRef: true organization_id: '1234' url: https://billing.elastic-cloud.com name: ess_billing-1 namespace: default package: name: ess_billing title: Elasticsearch Service Billing version: 1.6.0 revision: 1 secret_references: - id: QY1sWpoBbWcMW-edr0Ee supports_agentless: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user version: WzE0OTgsMV0= createAgentlessPoliciesWithAWSCloudConnectorResponseExample: description: Example response for AWS cloud connector integration value: item: cloud_connector_id: aws-connector-67890 created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: CSPM integration for AWS with cloud connector enabled: true id: aws-policy-12345 inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector external_id: id: secret-external-id-123 isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-policy namespace: default package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 revision: 1 secret_references: - id: secret-external-id-123 supports_agentless: true supports_cloud_connector: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user vars: deployment: aws posture: cspm version: WzE0OTgsMV0= createAgentlessPoliciesWithAzureCloudConnectorResponseExample: description: Example response for Azure cloud connector integration value: item: cloud_connector_id: azure-connector-67890 created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: CSPM integration for Azure with cloud connector enabled: true id: azure-policy-12345 inputs: cspm-cloudbeat/cis_aws: enabled: false cspm-cloudbeat/cis_azure: enabled: true streams: cloud_security_posture.findings: enabled: true vars: azure_credentials_cloud_connector_id: type: text value: existing-azure-credentials-connector-id azure.account_type: organization-account client_id: id: client-secret-id-456 isSecretRef: true tenant_id: id: tenant-secret-id-123 isSecretRef: true cspm-cloudbeat/cis_gcp: enabled: false name: cspm-azure-policy namespace: default package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 revision: 1 secret_references: - id: tenant-secret-id-123 - id: client-secret-id-456 supports_agentless: true supports_cloud_connector: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user vars: deployment: azure posture: cspm version: WzE0OTgsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false description: The created agentless package policy. type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Indicates a successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictErrorResponseExample: description: Example of a conflict error response value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Create an agentless policy tags: - Fleet agentless policies x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agentless_policies/{policyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agentless policy operationId: delete-fleet-agentless-policies-policyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the policy to delete. in: path name: policyId required: true schema: type: string - description: Force delete the policy even if the policy is managed. in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: createAgentlessPoliciesResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: item: id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: additionalProperties: false description: Response for deleting an agentless package policy. type: object properties: id: description: The ID of the deleted agentless package policy. type: string required: - id description: Indicates a successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictErrorResponseExample: description: Example of a conflict error response value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Delete an agentless policy tags: - Fleet agentless policies x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agents: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: When true, include agentless agents in the results in: query name: showAgentless required: false schema: default: true type: boolean - description: When true, include inactive agents in the results in: query name: showInactive required: false schema: default: false type: boolean - description: When true, include CPU and memory metrics in the response in: query name: withMetrics required: false schema: default: false type: boolean - description: When true, only return agents that are upgradeable in: query name: showUpgradeable required: false schema: default: false type: boolean - description: When true, return a summary of agent statuses in the response in: query name: getStatusSummary required: false schema: default: false type: boolean - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - asc - desc type: string - description: JSON-encoded array of sort values for `search_after` pagination in: query name: searchAfter required: false schema: type: string - description: When true, opens a new point-in-time for pagination in: query name: openPit required: false schema: type: boolean - description: Point-in-time ID for pagination in: query name: pitId required: false schema: type: string - description: Duration to keep the point-in-time alive, for example, `1m` in: query name: pitKeepAlive required: false schema: type: string responses: '200': content: application/json: examples: getAgentsExample: description: List of agents value: items: - active: true enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 policy_id: agent-policy-id-1 policy_revision: 1 status: online type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: {} enrolled_at: type: string health: additionalProperties: {} type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: {} maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config maxItems: 10000 type: array nextSearchAfter: type: string page: type: number perPage: type: number pit: type: string statusSummary: additionalProperties: type: number type: object total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agents tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postGetAgentsByActionsRequestExample: description: Retrieve agents associated with specific action IDs value: actionIds: - action-id-1 - action-id-2 schema: additionalProperties: false type: object properties: actionIds: items: type: string maxItems: 1000 type: array required: - actionIds responses: '200': content: application/json: examples: postGetAgentsByActionsExample: description: Agents associated with the given actions value: items: - active: true id: agent-id-1 policy_id: agent-policy-id-1 status: online total: 1 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agents by action ids tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentExample: description: Agent successfully deleted value: id: agent-id-1 success: true schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Delete an agent tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid parameters: - description: The agent ID in: path name: agentId required: true schema: type: string - description: When true, include CPU and memory metrics in the response in: query name: withMetrics required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentExample: description: Agent details value: item: active: true agent_id: agent-id-1 enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 local_metadata: elastic: agent: version: 8.17.0 host: hostname: my-host os: name: linux policy_id: agent-policy-id-1 policy_revision: 1 status: online type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: {} enrolled_at: type: string health: additionalProperties: {} type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: {} maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Get an agent tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: putAgentRequestExample: description: Update agent tags value: tags: - production - linux schema: additionalProperties: false type: object properties: tags: items: type: string maxItems: 10 type: array user_provided_metadata: additionalProperties: {} type: object responses: '200': content: application/json: examples: putAgentExample: description: Updated agent details value: item: active: true enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 policy_id: agent-policy-id-1 policy_revision: 1 status: online tags: - production - linux type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: {} enrolled_at: type: string health: additionalProperties: {} type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: {} maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Update an agent by ID tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/actions: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/actions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postAgentActionRequestExample: description: Create a UNENROLL action for an agent value: action: type: UNENROLL schema: additionalProperties: false type: object properties: action: anyOf: - additionalProperties: false type: object properties: ack_data: {} data: {} type: enum: - UNENROLL - UPGRADE - POLICY_REASSIGN type: string required: - type - data - ack_data - additionalProperties: false type: object properties: data: additionalProperties: false type: object properties: log_level: enum: - debug - info - warning - error nullable: true type: string required: - log_level type: enum: - SETTINGS type: string required: - type - data required: - action responses: '200': content: application/json: examples: postAgentActionExample: description: Created agent action value: item: agents: - agent-id-1 created_at: '2024-01-01T00:00:00.000Z' id: action-id-1 type: UNENROLL schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: {} agents: items: type: string maxItems: 10000 type: array created_at: type: string data: {} expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string maxItems: 100 type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/effective_config: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid-effective-config parameters: - description: The agent ID to get effective config of in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: effective_config: {} schema: additionalProperties: false type: object properties: effective_config: {} required: - effective_config description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get an agent's effective config tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/migrate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-migrate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postMigrateAgentRequestExample: description: Migrate a single agent to another cluster value: enrollment_token: enrollment-token-value settings: retry_max: 5 uri: https://fleet-server.example.com:8220 schema: additionalProperties: false type: object properties: enrollment_token: type: string settings: additionalProperties: false type: object properties: ca_sha256: type: string certificate_authorities: type: string elastic_agent_cert: type: string elastic_agent_cert_key: type: string elastic_agent_cert_key_passphrase: type: string headers: additionalProperties: type: string type: object insecure: type: boolean proxy_disabled: type: boolean proxy_headers: additionalProperties: type: string type: object proxy_url: type: string replace_token: type: string staging: type: string tags: items: type: string maxItems: 10 type: array uri: format: uri type: string required: - uri - enrollment_token responses: '200': content: application/json: examples: postMigrateAgentExample: description: Agent migration initiated value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Migrate a single agent tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/privilege_level_change: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID to change privilege level for in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: changeAgentPrivilegeLevelRequest: value: user_info: groupname: groupname password: password username: username schema: additionalProperties: false nullable: true type: object properties: user_info: additionalProperties: false type: object properties: groupname: type: string password: type: string username: type: string responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: anyOf: - additionalProperties: false type: object properties: actionId: type: string required: - actionId - additionalProperties: false type: object properties: message: type: string required: - message description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Change agent privilege level tags: - Elastic Agents x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/reassign: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postReassignAgentRequestExample: description: Reassign an agent to a different policy value: policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: policy_id: type: string required: - policy_id responses: '200': content: application/json: examples: postReassignAgentExample: description: Agent successfully reassigned value: {} schema: additionalProperties: false type: object properties: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Reassign an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/request_diagnostics: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postRequestDiagnosticsRequestExample: description: Request a diagnostics bundle from an agent value: additional_metrics: - CPU schema: additionalProperties: false nullable: true type: object properties: additional_metrics: items: enum: - CPU type: string maxItems: 1 type: array responses: '200': content: application/json: examples: postRequestDiagnosticsExample: description: Diagnostics action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: Agent agent-id-1 does not support request diagnostics action. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Request agent diagnostics tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID to rollback in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: anyOf: - additionalProperties: false type: object properties: actionId: type: string required: - actionId - additionalProperties: false type: object properties: message: type: string required: - message description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Rollback an agent tags: - Elastic Agent actions x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/unenroll: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postUnenrollAgentRequestExample: description: Unenroll an agent, optionally revoking the enrollment API key value: revoke: false schema: additionalProperties: false nullable: true type: object properties: force: type: boolean revoke: type: boolean responses: '200': content: application/json: examples: postUnenrollAgentExample: description: Agent successfully unenrolled value: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 description: Bad Request summary: Unenroll an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postUpgradeAgentRequestExample: description: Upgrade an agent to a specific version value: version: 8.17.0 schema: additionalProperties: false type: object properties: force: type: boolean skipRateLimitCheck: type: boolean source_uri: type: string version: type: string required: - version responses: '200': content: application/json: examples: postUpgradeAgentExample: description: Agent upgrade initiated value: {} schema: additionalProperties: false type: object properties: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Upgrade an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/{agentId}/uploads: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid-uploads parameters: - description: The agent ID in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: getAgentUploadsExample: description: List of files uploaded by the agent value: items: - actionId: action-id-1 createTime: '2024-01-01T00:00:00.000Z' filePath: /tmp/diagnostics-2024-01-01.zip id: file-id-1 name: diagnostics-2024-01-01.zip status: READY schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string createTime: type: string error: type: string filePath: type: string id: type: string name: type: string status: enum: - READY - AWAITING_UPLOAD - DELETED - EXPIRED - IN_PROGRESS - FAILED type: string required: - id - name - filePath - createTime - status - actionId maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent uploads tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/action_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-action-status parameters: - description: Page number in: query name: page required: false schema: default: 0 type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: Return actions created before this date in: query name: date required: false schema: type: string - description: Return only the latest N actions in: query name: latest required: false schema: type: number - description: Number of error details to include per action in: query name: errorSize required: false schema: default: 5 type: number responses: '200': content: application/json: examples: getActionStatusExample: description: Status of recent agent actions value: items: - actionId: action-id-1 completionTime: '2024-01-01T00:05:00.000Z' creationTime: '2024-01-01T00:00:00.000Z' nbAgentsAck: 2 nbAgentsActioned: 2 nbAgentsFailed: 0 status: COMPLETE type: UPGRADE schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string cancellationTime: type: string completionTime: type: string creationTime: description: creation time of action type: string expiration: type: string hasRolloutPeriod: type: boolean is_automatic: type: boolean latestErrors: items: additionalProperties: false description: latest errors that happened when the agents executed the action type: object properties: agentId: type: string error: type: string hostname: type: string timestamp: type: string required: - agentId - error - timestamp maxItems: 10 type: array nbAgentsAck: description: number of agents that acknowledged the action type: number nbAgentsActionCreated: description: number of agents included in action from kibana type: number nbAgentsActioned: description: number of agents actioned type: number nbAgentsFailed: description: number of agents that failed to execute the action type: number newPolicyId: description: new policy id (POLICY_REASSIGN action) type: string policyId: description: policy id (POLICY_CHANGE action) type: string revision: description: new policy revision (POLICY_CHANGE action) type: number startTime: description: start time of action (scheduled actions) type: string status: enum: - COMPLETE - EXPIRED - CANCELLED - FAILED - IN_PROGRESS - ROLLOUT_PASSED type: string type: enum: - UPGRADE - UNENROLL - SETTINGS - POLICY_REASSIGN - CANCEL - FORCE_UNENROLL - REQUEST_DIAGNOSTICS - UPDATE_TAGS - POLICY_CHANGE - INPUT_ACTION - MIGRATE - PRIVILEGE_LEVEL_CHANGE - ROLLBACK type: string version: description: agent version number (UPGRADE action) type: string required: - actionId - nbAgentsActionCreated - nbAgentsAck - nbAgentsFailed - type - nbAgentsActioned - status - creationTime maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an agent action status tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/actions/{actionId}/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the action to cancel in: path name: actionId required: true schema: type: string requestBody: content: application/json: examples: postCancelActionRequestExample: description: Cancel an agent action value: {} responses: '200': content: application/json: examples: postCancelActionExample: description: Cancellation action created value: item: agents: - agent-id-1 created_at: '2024-01-01T00:00:00.000Z' id: cancel-action-id-1 type: CANCEL schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: {} agents: items: type: string maxItems: 10000 type: array created_at: type: string data: {} expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string maxItems: 100 type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Cancel an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/available_versions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/available_versions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-available-versions parameters: [] responses: '200': content: application/json: examples: getAvailableVersionsExample: description: List of available agent versions for upgrade value: items: - 8.17.0 - 8.16.3 - 8.16.2 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get available agent versions tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-migrate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkMigrateAgentsRequestExample: description: Migrate multiple agents to another cluster value: agents: - agent-id-1 - agent-id-2 enrollment_token: enrollment-token-value settings: retry_max: 5 uri: https://fleet-server.example.com:8220 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number enrollment_token: type: string settings: additionalProperties: false type: object properties: ca_sha256: type: string certificate_authorities: type: string elastic_agent_cert: type: string elastic_agent_cert_key: type: string elastic_agent_cert_key_passphrase: type: string headers: additionalProperties: type: string type: object insecure: type: boolean proxy_disabled: type: boolean proxy_headers: additionalProperties: type: string type: object proxy_url: type: string staging: type: string tags: items: type: string maxItems: 10 type: array uri: format: uri type: string required: - agents - uri - enrollment_token responses: '200': content: application/json: examples: postBulkMigrateAgentsExample: description: Bulk agent migration initiated value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Migrate multiple agents tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_privilege_level_change: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkChangeAgentPrivilegeLevelRequest: value: agents: agent user_info: groupname: groupname password: password username: username schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number user_info: additionalProperties: false type: object properties: groupname: type: string password: type: string username: type: string required: - agents responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk change agent privilege level tags: - Elastic Agents x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_reassign: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkReassignAgentsRequestExample: description: Reassign multiple agents to a different policy value: agents: - agent-id-1 - agent-id-2 policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean policy_id: type: string required: - policy_id - agents responses: '200': content: application/json: examples: postBulkReassignAgentsExample: description: Bulk reassign action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk reassign agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkRequestDiagnosticsRequestExample: description: Request diagnostics bundles from multiple agents value: additional_metrics: - CPU agents: - agent-id-1 - agent-id-2 schema: additionalProperties: false type: object properties: additional_metrics: items: enum: - CPU type: string maxItems: 1 type: array agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number required: - agents responses: '200': content: application/json: examples: postBulkRequestDiagnosticsExample: description: Bulk diagnostics action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk request diagnostics from agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkRollbackAgentsRequest: value: agents: - agent-1 - agent-2 batchSize: 100 includeInactive: false schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean required: - agents responses: '200': content: application/json: examples: successResponse: value: actionIds: - actionId1 - actionId2 schema: additionalProperties: false type: object properties: actionIds: items: type: string maxItems: 10000 type: array required: - actionIds description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk rollback agents tags: - Elastic Agent actions x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_unenroll: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUnenrollAgentsRequestExample: description: Unenroll multiple agents value: agents: - agent-id-1 - agent-id-2 revoke: false schema: additionalProperties: false type: object properties: agents: anyOf: - items: description: list of agent IDs type: string maxItems: 10000 type: array - description: KQL query string, leave empty to action all agents type: string batchSize: type: number force: description: Unenrolls hosted agents too type: boolean includeInactive: description: When passing agents by KQL query, unenrolls inactive agents too type: boolean revoke: description: Revokes API keys of agents type: boolean required: - agents responses: '200': content: application/json: examples: postBulkUnenrollAgentsExample: description: Bulk unenroll action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk unenroll agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_update_agent_tags: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpdateAgentTagsRequestExample: description: Add and remove tags across multiple agents value: agents: - agent-id-1 - agent-id-2 tagsToAdd: - production tagsToRemove: - staging schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean tagsToAdd: items: type: string maxItems: 10 type: array tagsToRemove: items: type: string maxItems: 10 type: array required: - agents responses: '200': content: application/json: examples: postBulkUpdateAgentTagsExample: description: Bulk action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk update agent tags tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/bulk_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpgradeAgentsRequestExample: description: Upgrade multiple agents to a specific version value: agents: - agent-id-1 - agent-id-2 rollout_duration_seconds: 3600 version: 8.17.0 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number force: type: boolean includeInactive: default: false type: boolean rollout_duration_seconds: minimum: 600 type: number skipRateLimitCheck: type: boolean source_uri: type: string start_time: type: string version: type: string required: - agents - version responses: '200': content: application/json: examples: postBulkUpgradeAgentsExample: description: Bulk upgrade action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk upgrade agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name /api/fleet/agents/files/{fileId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agents/files/{fileId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the uploaded file in: path name: fileId required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentUploadFileExample: description: Uploaded file successfully deleted value: deleted: true id: file-id-1 schema: additionalProperties: false type: object properties: deleted: type: boolean id: type: string required: - id - deleted description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete an uploaded file tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/files/{fileId}/{fileName}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-files-fileid-filename parameters: - description: The ID of the uploaded file in: path name: fileId required: true schema: type: string - description: The name of the uploaded file in: path name: fileName required: true schema: type: string responses: '200': content: application/json: examples: getAgentUploadFileExample: description: The uploaded file content as a stream value: schema: type: object description: Successful response — returns the uploaded file content '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an uploaded file tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/setup: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: get-fleet-agents-setup parameters: [] responses: '200': content: application/json: examples: agentsSetupNotReadyExample: description: Fleet is not ready — a Fleet Server and API keys are required value: is_action_secrets_storage_enabled: false is_secrets_storage_enabled: false is_space_awareness_enabled: false is_ssl_secrets_storage_enabled: false isReady: false missing_optional_features: - encrypted_saved_object_encryption_key_required missing_requirements: - fleet_server - api_keys agentsSetupReadyExample: description: Fleet is ready to enroll agents — all requirements are met value: is_action_secrets_storage_enabled: true is_secrets_storage_enabled: true is_space_awareness_enabled: false is_ssl_secrets_storage_enabled: false isReady: true missing_optional_features: [] missing_requirements: [] package_verification_key_id: D88DB4CC schema: additionalProperties: false description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: is_action_secrets_storage_enabled: type: boolean is_secrets_storage_enabled: type: boolean is_space_awareness_enabled: type: boolean is_ssl_secrets_storage_enabled: type: boolean isReady: type: boolean missing_optional_features: items: enum: - encrypted_saved_object_encryption_key_required type: string maxItems: 1 type: array missing_requirements: items: enum: - security_required - tls_required - api_keys - fleet_admin_user - fleet_server type: string maxItems: 5 type: array package_verification_key_id: type: string required: - isReady - missing_requirements - missing_optional_features description: Fleet setup status '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent setup info tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: agentsSetupSuccessExample: description: Fleet setup initialized successfully with no non-fatal errors value: isInitialized: true nonFatalErrors: [] schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message maxItems: 10000 type: array required: - isInitialized - nonFatalErrors description: Fleet setup completed '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Initiate Fleet setup tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/agents/tags: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-tags parameters: - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: When true, include tags from inactive agents in: query name: showInactive required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentTagsExample: description: List of tags used across agents value: items: - production - linux - datacenter-1 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent tags tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name /api/fleet/check-permissions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/check-permissions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. operationId: get-fleet-check-permissions parameters: - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges in: query name: fleetServerSetup required: false schema: type: boolean responses: '200': content: application/json: examples: checkPermissionsMissingPrivilegesExample: description: The current user is missing Fleet privileges value: error: MISSING_PRIVILEGES success: false checkPermissionsSuccessExample: description: The current user has all required Fleet permissions value: success: true schema: additionalProperties: false type: object properties: error: enum: - MISSING_SECURITY - MISSING_PRIVILEGES - MISSING_FLEET_SERVER_SETUP_PRIVILEGES type: string success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Check permissions tags: - Fleet internals x-metaTags: - content: Kibana name: product_name /api/fleet/cloud_connectors: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors parameters: - description: The page number for pagination. in: query name: page required: false schema: type: string - description: The number of items per page. in: query name: perPage required: false schema: type: string - description: KQL query to filter cloud connectors. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getCloudConnectorsExample: description: List of Fleet cloud connectors value: items: - accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: My AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: {} type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get cloud connectors tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: post-fleet-cloud-connectors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postCloudConnectorRequestExample: description: Create a new AWS cloud connector value: accountType: single-account cloudProvider: aws name: My AWS connector vars: {} schema: additionalProperties: false type: object properties: accountType: description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' enum: - single-account - organization-account type: string cloudProvider: description: 'The cloud provider type: aws, azure, or gcp.' enum: - aws - azure - gcp type: string name: description: The name of the cloud connector. maxLength: 255 minLength: 1 type: string vars: additionalProperties: anyOf: - maxLength: 1000 type: string - type: number - type: boolean - additionalProperties: false type: object properties: frozen: type: boolean type: maxLength: 50 type: string value: anyOf: - maxLength: 1000 type: string - additionalProperties: false type: object properties: id: maxLength: 255 type: string isSecretRef: type: boolean required: - isSecretRef - id required: - type - value type: object required: - name - cloudProvider - vars responses: '200': content: application/json: examples: postCloudConnectorExample: description: The created Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-2 name: My AWS connector packagePolicyCount: 0 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: {} type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create cloud connector tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/fleet/cloud_connectors/{cloudConnectorId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the cloud connector to delete. in: path name: cloudConnectorId required: true schema: type: string - description: If true, forces deletion even if the cloud connector is in use. in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deleteCloudConnectorExample: description: The cloud connector was successfully deleted value: id: cloud-connector-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete cloud connector (supports force deletion) tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors-cloudconnectorid parameters: - description: The unique identifier of the cloud connector. in: path name: cloudConnectorId required: true schema: type: string responses: '200': content: application/json: examples: getCloudConnectorExample: description: A Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: My AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: {} type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get cloud connector tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: put-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the cloud connector to update. in: path name: cloudConnectorId required: true schema: type: string requestBody: content: application/json: examples: putCloudConnectorRequestExample: description: Update a Fleet cloud connector value: name: Updated AWS connector vars: {} schema: additionalProperties: false type: object properties: accountType: description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' enum: - single-account - organization-account type: string name: description: The name of the cloud connector. maxLength: 255 minLength: 1 type: string vars: additionalProperties: anyOf: - maxLength: 1000 type: string - type: number - type: boolean - additionalProperties: false type: object properties: frozen: type: boolean type: maxLength: 50 type: string value: anyOf: - maxLength: 1000 type: string - additionalProperties: false type: object properties: id: maxLength: 255 type: string isSecretRef: type: boolean required: - isSecretRef - id required: - type - value type: object responses: '200': content: application/json: examples: putCloudConnectorExample: description: The updated Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: Updated AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T11:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: {} type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update cloud connector tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/fleet/cloud_connectors/{cloudConnectorId}/usage: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors-cloudconnectorid-usage parameters: - description: The unique identifier of the cloud connector. in: path name: cloudConnectorId required: true schema: type: string - description: The page number for pagination. in: query name: page required: false schema: minimum: 1 type: number - description: The number of items per page. in: query name: perPage required: false schema: minimum: 1 type: number responses: '200': content: application/json: examples: getCloudConnectorUsageResponseExample: description: Example response showing package policies using the cloud connector value: items: - created_at: '2025-01-16T09:00:00.000Z' id: package-policy-1 name: CSPM AWS Policy package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 policy_ids: - policy-id-123 - policy-id-456 updated_at: '2025-01-16T09:00:00.000Z' page: 1 perPage: 20 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: created_at: type: string id: type: string name: type: string package: additionalProperties: false type: object properties: name: type: string title: type: string version: type: string required: - name - title - version policy_ids: items: type: string maxItems: 10000 type: array updated_at: type: string required: - id - name - policy_ids - created_at - updated_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: 'OK: A successful request.' '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: Cloud connector not found statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get cloud connector usage (package policies using the connector) tags: - Fleet cloud connectors x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/fleet/data_streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. operationId: get-fleet-data-streams parameters: [] responses: '200': content: application/json: examples: getDataStreamsExample: description: List of Fleet-managed data streams value: data_streams: - dashboards: - id: nginx-overview title: Nginx Overview dataset: nginx.access index: logs-nginx.access-default last_activity_ms: 1700000000000 namespace: default package: nginx package_version: 1.20.0 serviceDetails: null size_in_bytes: 1048576 size_in_bytes_formatted: 1mb type: logs - dashboards: [] dataset: system.cpu index: metrics-system.cpu-default last_activity_ms: 1699999000000 namespace: default package: system package_version: 1.38.0 serviceDetails: null size_in_bytes: 524288 size_in_bytes_formatted: 512kb type: metrics schema: additionalProperties: false type: object properties: data_streams: items: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string title: type: string required: - id - title maxItems: 10000 type: array dataset: type: string index: type: string last_activity_ms: type: number namespace: type: string package: type: string package_version: type: string serviceDetails: additionalProperties: false nullable: true type: object properties: environment: type: string serviceName: type: string required: - environment - serviceName size_in_bytes: type: number size_in_bytes_formatted: anyOf: - type: number - type: string type: type: string required: - index - dataset - namespace - type - package - package_version - last_activity_ms - size_in_bytes - size_in_bytes_formatted - dashboards - serviceDetails maxItems: 10000 type: array required: - data_streams description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get data streams tags: - Data streams x-metaTags: - content: Kibana name: product_name /api/fleet/enrollment_api_keys: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. operationId: get-fleet-enrollment-api-keys parameters: - description: Page number in: query name: page required: false schema: default: 1 type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getEnrollmentApiKeysExample: description: List of enrollment API keys value: items: - active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 list: - active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at maxItems: 10000 type: array list: deprecated: true items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage - list description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get enrollment API keys tags: - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postEnrollmentApiKeyRequestExample: description: Create an enrollment API key for an agent policy value: expiration: '2025-01-01T00:00:00.000Z' name: My enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: expiration: type: string name: type: string policy_id: type: string required: - policy_id responses: '200': content: application/json: examples: postEnrollmentApiKeyExample: description: The created enrollment API key value: action: created item: active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: My enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: action: enum: - created type: string item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name /api/fleet/enrollment_api_keys/{keyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the enrollment API key in: path name: keyId required: true schema: type: string responses: '200': content: application/json: examples: deleteEnrollmentApiKeyExample: description: The enrollment API key was successfully revoked value: action: deleted schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No enrollment API key was found with the given ID value: error: Not Found message: EnrollmentAPIKey key-id-1 not found statusCode: 404 description: Not Found summary: Revoke an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. operationId: get-fleet-enrollment-api-keys-keyid parameters: - description: The ID of the enrollment API key in: path name: keyId required: true schema: type: string responses: '200': content: application/json: examples: getEnrollmentApiKeyExample: description: An enrollment API key value: item: active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No enrollment API key was found with the given ID value: error: Not Found message: EnrollmentAPIKey key-id-1 not found statusCode: 404 description: Not Found summary: Get an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name /api/fleet/epm/bulk_assets: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/bulk_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkGetAssetsRequestExample: description: Retrieve multiple assets by their IDs and types value: assetIds: - id: dashboard-id-1 type: dashboard - id: index-pattern-id-1 type: index_pattern schema: additionalProperties: false type: object properties: assetIds: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - id - type maxItems: 10000 type: array required: - assetIds responses: '200': content: application/json: examples: postBulkGetAssetsExample: description: Requested assets value: items: - appLink: /app/dashboards#/view/dashboard-id-1 attributes: title: My Dashboard id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: appLink: type: string attributes: additionalProperties: false type: object properties: description: type: string service: type: string title: type: string id: type: string type: type: string updatedAt: type: string required: - id - type - attributes maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk get assets tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/categories: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/categories
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-categories parameters: - description: When true, include prerelease packages in the results in: query name: prerelease required: false schema: type: boolean - description: When true, include categories that only contain policy templates in: query name: include_policy_templates required: false schema: type: boolean responses: '200': content: application/json: examples: getCategoriesExample: description: List of integration categories value: items: - count: 42 id: security title: Security - count: 38 id: observability title: Observability schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: count: type: number id: type: string parent_id: type: string parent_title: type: string title: type: string required: - id - title - count maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package categories tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/custom_integrations: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/custom_integrations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postCreateCustomIntegrationRequestExample: description: Create a new custom integration value: datasets: - name: my_custom_logs.access type: logs integrationName: my_custom_logs schema: additionalProperties: false type: object properties: datasets: items: additionalProperties: false type: object properties: name: type: string type: enum: - logs - metrics - traces - synthetics - profiling type: string required: - name - type maxItems: 10 type: array force: type: boolean integrationName: type: string required: - integrationName - datasets responses: '200': content: application/json: examples: postCreateCustomIntegrationExample: description: Custom integration successfully created value: _meta: install_source: custom items: - id: my_custom_logs-logs-my_custom_logs.access type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a custom integration tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/custom_integrations/{pkgName}: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. operationId: put-fleet-epm-custom-integrations-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: putUpdateCustomIntegrationRequestExample: description: Update a custom integration value: datasets: - name: my_custom_logs.access type: logs integrationName: my_custom_logs schema: additionalProperties: false type: object properties: categories: items: type: string maxItems: 10 type: array readMeData: type: string required: - readMeData responses: '200': content: application/json: examples: putUpdateCustomIntegrationExample: description: Custom integration successfully updated value: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update a custom integration tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/data_streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-data-streams parameters: - description: Filter by data stream type in: query name: type required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - description: Filter data streams by dataset name in: query name: datasetQuery required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string - description: When true, only return data streams that are not associated with a package in: query name: uncategorisedOnly required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getDataStreamsExample: description: List of data streams from installed packages value: data_streams: - ilm_policy: logs-default index_template: logs-system.syslog name: logs-system.syslog-default package: system package_version: 1.55.0 title: System syslog logs schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: name: type: string required: - name maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get data streams tags: - Data streams x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages parameters: - description: Filter packages by category in: query name: category required: false schema: type: string - description: When true, include prerelease packages in the results in: query name: prerelease required: false schema: type: boolean - description: When true, exclude the install status from the response in: query name: excludeInstallStatus required: false schema: type: boolean - description: When true, include the number of package policies per package in: query name: withPackagePoliciesCount required: false schema: type: boolean responses: '200': content: application/json: examples: getPackagesExample: description: List of available integration packages value: items: - categories: - cloud description: Collect logs and metrics from Amazon Web Services id: aws name: aws status: not_installed title: AWS version: 2.10.0 searchExcluded: 0 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: true type: object properties: categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array id: type: string installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status integration: type: string internal: type: boolean latestVersion: type: string name: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: {} type: object maxItems: 1000 type: array version: type: string required: - name - version - title - id maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean requestBody: content: application/gzip: examples: postInstallByUploadRequestExample: description: Upload a .zip or .tar.gz package archive (max 100MB) value: application/gzip; application/zip: examples: postInstallByUploadRequestExample: description: Upload a .zip or .tar.gz package archive (max 100MB) value: schema: format: binary type: string responses: '200': content: application/gzip; application/zip: examples: postInstallByUploadExample: description: Package successfully installed from upload value: _meta: install_source: upload items: - id: my-custom-package-logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta application/json: examples: postInstallByUploadExample: description: Package successfully installed from upload value: _meta: install_source: upload items: - id: my-custom-package-logs-default type: index_template description: Successful response '400': content: application/gzip; application/zip: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 description: Bad Request summary: Install a package by upload tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: examples: postBulkInstallPackagesRequestExample: description: Install multiple packages from the registry value: packages: - system - aws schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: anyOf: - type: string - additionalProperties: false type: object properties: name: type: string prerelease: type: boolean version: type: string required: - name - version maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: postBulkInstallPackagesExample: description: Bulk install results value: items: - name: system result: assets: [] status: installed - name: aws result: assets: [] status: installed schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: name: type: string result: additionalProperties: false type: object properties: assets: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array error: {} installSource: type: string installType: type: string status: enum: - installed - already_installed type: string required: - error - installType version: type: string required: - name - version - result - additionalProperties: false type: object properties: error: anyOf: - type: string - {} name: type: string statusCode: type: number required: - name - statusCode - error maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk install packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkRollbackRequest: value: packages: - name: system schema: additionalProperties: false type: object properties: packages: items: additionalProperties: false type: object properties: name: description: Package name to rollback type: string required: - name maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: successResponse: value: taskId: taskId schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk rollback packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_rollback/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get Bulk rollback packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_uninstall: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-uninstall parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUninstallPackagesRequestExample: description: Uninstall multiple packages value: packages: - name: aws - name: gcp schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name - version maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: postBulkUninstallPackagesExample: description: Bulk uninstall task initiated value: taskId: task-id-1 schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk uninstall packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_uninstall/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: getBulkOperationDetailsExample: description: Details of the bulk operation task value: packages: - name: system result: installed - name: elastic_agent result: installed status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Bulk uninstall packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpgradePackagesRequestExample: description: Upgrade multiple packages to their latest versions value: packages: - name: system - name: elastic_agent schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name maxItems: 1000 minItems: 1 type: array prerelease: type: boolean upgrade_package_policies: default: false type: boolean required: - packages responses: '200': content: application/json: examples: postBulkUpgradePackagesExample: description: Bulk upgrade task initiated value: taskId: task-id-1 schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk upgrade packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: getBulkOperationDetailsExample: description: Details of the bulk operation task value: packages: - name: system result: installed - name: elastic_agent result: installed status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Bulk upgrade packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, delete the package even if it has active package policies in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackageExample: description: Package successfully deleted value: items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information about a package by name, returning the latest installed or available version. operationId: get-fleet-epm-packages-pkgname parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, returns the package even if the signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean - description: When true, include prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return the full package info including assets in: query name: full required: false schema: type: boolean - description: When true, include package metadata such as whether it has package policies in: query name: withMetadata required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getPackageInfoExample: description: Package details and installation status value: item: assets: kibana: dashboard: [] index_pattern: [] categories: - cloud description: Collect logs and metrics from Amazon Web Services name: aws status: installed title: AWS version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: {} type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: {} type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets metadata: additionalProperties: false type: object properties: has_policies: type: boolean required: - has_policies required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean - description: Skip dependency validation when installing a package with dependencies in: query name: skipDependencyCheck required: false schema: default: false type: boolean requestBody: content: application/json: examples: postInstallPackageRequestExample: description: Install a package, optionally ignoring constraints value: ignore_constraints: false schema: additionalProperties: false nullable: true type: object properties: force: default: false type: boolean ignore_constraints: default: false type: boolean responses: '200': content: application/json: examples: postInstallPackageExample: description: Package successfully installed value: _meta: install_source: registry items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: put-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: putUpdatePackageRequestExample: description: Update keep_policies_up_to_date setting for a package value: keepPoliciesUpToDate: true schema: additionalProperties: false type: object properties: keepPoliciesUpToDate: type: boolean required: - keepPoliciesUpToDate responses: '200': content: application/json: examples: putUpdatePackageExample: description: Updated package settings value: item: keepPoliciesUpToDate: true name: aws version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: {} type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: {} type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, delete the package even if it has active package policies in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackageExample: description: Package successfully deleted value: items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information about a specific version of a package. operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, returns the package even if the signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean - description: When true, include prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return the full package info including assets in: query name: full required: false schema: type: boolean - description: When true, include package metadata such as whether it has package policies in: query name: withMetadata required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getPackageInfoExample: description: Package details and installation status value: item: assets: kibana: dashboard: [] index_pattern: [] categories: - cloud description: Collect logs and metrics from Amazon Web Services name: aws status: installed title: AWS version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: {} type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: {} type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets metadata: additionalProperties: false type: object properties: has_policies: type: boolean required: - has_policies required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean - description: Skip dependency validation when installing a package with dependencies in: query name: skipDependencyCheck required: false schema: default: false type: boolean requestBody: content: application/json: examples: postInstallPackageRequestExample: description: Install a package, optionally ignoring constraints value: ignore_constraints: false schema: additionalProperties: false nullable: true type: object properties: force: default: false type: boolean ignore_constraints: default: false type: boolean responses: '200': content: application/json: examples: postInstallPackageExample: description: Package successfully installed value: _meta: install_source: registry items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: putUpdatePackageRequestExample: description: Update keep_policies_up_to_date setting for a package value: keepPoliciesUpToDate: true schema: additionalProperties: false type: object properties: keepPoliciesUpToDate: type: boolean required: - keepPoliciesUpToDate responses: '200': content: application/json: examples: putUpdatePackageExample: description: Updated package settings value: item: keepPoliciesUpToDate: true name: aws version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: {} type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: {} type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: File path within the package in: path name: filePath required: true schema: type: string responses: '200': content: application/json: examples: getPackageFileExample: description: The content of the requested package file value: schema: {} description: Successful response — returns the file content '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package file tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: The ID of the package policy in: query name: packagePolicyId required: true schema: type: string responses: '200': content: application/json: examples: deletePackageDatastreamAssetsExample: description: Package datastream assets successfully deleted value: items: - id: logs-my_package.access-default type: index_template schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete assets for an input package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string responses: '200': content: application/json: examples: dependenciesResponse: value: items: - name: aws title: AWS version: ^2.0.0 - name: system title: System version: ^1.0.0 noDependenciesResponse: value: items: [] schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: name: type: string title: type: string version: type: string required: - name - version - title maxItems: 1000 type: array required: - items description: 'OK: A successful request.' '400': content: application/json: examples: packageNotFoundResponse: value: message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get package dependencies tags: - Elastic Package Manager (EPM) x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string responses: '200': content: application/json: examples: deleteKibanaAssetsExample: description: Kibana assets successfully deleted value: items: - id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: postInstallKibanaAssetsRequestExample: description: Install Kibana assets for a specific package version value: {} schema: additionalProperties: false nullable: true type: object properties: force: type: boolean space_ids: description: When provided install assets in the specified spaces instead of the current space. items: type: string maxItems: 100 minItems: 1 type: array responses: '200': content: application/json: examples: postInstallKibanaAssetsExample: description: Kibana assets successfully installed value: items: - id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: postInstallRuleAssetsRequestExample: description: Install alert rule assets for a specific package version value: {} schema: additionalProperties: false nullable: true type: object properties: force: type: boolean responses: '200': content: application/json: examples: postInstallRuleAssetsExample: description: Rule assets successfully installed value: items: - id: rule-asset-id-1 type: security_rule schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install Kibana alert rule for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, allow prerelease versions in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: examples: postReauthorizeTransformsRequestExample: description: Reauthorize transforms for a package value: transforms: - destinations: - index: logs-transform-dest transformId: logs-transform-1 schema: additionalProperties: false type: object properties: transforms: items: additionalProperties: false type: object properties: transformId: type: string required: - transformId maxItems: 1000 type: array required: - transforms responses: '200': content: application/json: examples: postReauthorizeTransformsExample: description: Transforms successfully reauthorized value: - success: true transformId: logs-transform-1 schema: items: additionalProperties: false type: object properties: error: nullable: true success: type: boolean transformId: type: string required: - transformId - success - error maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Authorize transforms tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/review_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name to review upgrade for in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: acceptUpgrade: value: action: accept target_version: 2.0.0 schema: additionalProperties: false type: object properties: action: enum: - accept - decline - pending type: string target_version: type: string required: - action - target_version responses: '200': content: application/json: examples: successResponse: value: success: true schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Review a pending policy upgrade for a package with deprecations tags: - Elastic Package Manager (EPM) x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name to roll back in: path name: pkgName required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: success: true version: 1.0.0 schema: additionalProperties: false type: object properties: success: type: boolean version: type: string required: - version - success description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Rollback a package to previous version tags: - Elastic Package Manager (EPM) x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/{pkgName}/stats: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-stats parameters: - description: Package name in: path name: pkgName required: true schema: type: string responses: '200': content: application/json: examples: getPackageStatsExample: description: Usage stats for a specific package value: response: agent_policy_count: 3 schema: additionalProperties: false type: object properties: response: additionalProperties: false type: object properties: agent_policy_count: type: number package_policy_count: type: number required: - agent_policy_count - package_policy_count required: - response description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package stats tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/installed: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/installed
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-installed parameters: - description: Filter by data stream type in: query name: dataStreamType required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - description: When true, only return packages with active data streams in: query name: showOnlyActiveDataStreams required: false schema: type: boolean - description: Filter packages by name in: query name: nameQuery required: false schema: type: string - description: Sort values from the previous page for `search_after` pagination in: query name: searchAfter required: false schema: items: anyOf: - type: string - type: number maxItems: 10 type: array - description: Number of results per page in: query name: perPage required: false schema: default: 15 type: number - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string responses: '200': content: application/json: examples: getInstalledPackagesExample: description: List of installed integration packages value: items: - name: system status: installed title: System version: 1.55.0 - name: elastic_agent status: installed title: Elastic Agent version: 1.15.0 searchExcluded: 0 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: dataStreams: items: additionalProperties: false type: object properties: name: type: string title: type: string required: - name - title maxItems: 10000 type: array description: type: string icons: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array name: type: string status: type: string title: type: string version: type: string required: - name - version - status - dataStreams maxItems: 10000 type: array searchAfter: items: anyOf: - type: string - type: number - type: boolean - enum: - null - {} maxItems: 2 type: array total: type: number required: - items - total description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get installed packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/packages/limited: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/limited
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-limited parameters: [] responses: '200': content: application/json: examples: getLimitedPackagesExample: description: List of packages that cannot be uninstalled value: items: - elastic_agent - fleet_server schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a limited package list tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: 'Output format for the inputs template: json, yml, or yaml' in: query name: format required: false schema: default: json enum: - json - yml - yaml type: string - description: When true, allow prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return inputs even if the package signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean responses: '200': content: application/json: examples: getInputsTemplateExample: description: Inputs template for a package value: inputs: - description: Collect logs from log files title: Collect logs from files type: logfile vars: - name: paths required: true title: Paths type: text schema: anyOf: - type: string - additionalProperties: false type: object properties: connectors: additionalProperties: {} type: object exporters: additionalProperties: {} type: object extensions: additionalProperties: {} type: object inputs: items: additionalProperties: false type: object properties: id: type: string streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream maxItems: 10000 type: array type: type: string required: - id - type maxItems: 10000 type: array processors: additionalProperties: {} type: object receivers: additionalProperties: {} type: object service: additionalProperties: false type: object properties: extensions: items: type: string maxItems: 1000 type: array pipelines: additionalProperties: additionalProperties: false type: object properties: exporters: items: type: string maxItems: 1000 type: array processors: items: type: string maxItems: 1000 type: array receivers: items: type: string maxItems: 1000 type: array x-oas-optional: true type: object required: - inputs description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an inputs template tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/epm/verification_key_id: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/verification_key_id
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-verification-key-id parameters: [] responses: '200': content: application/json: examples: getVerificationKeyIdExample: description: The GPG key ID used to verify package signatures value: id: D27D666CD88E42B4 schema: additionalProperties: false type: object properties: id: nullable: true type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package signature verification key ID tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name /api/fleet/fleet_server_hosts: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. operationId: get-fleet-fleet-server-hosts parameters: [] responses: '200': content: application/json: examples: getFleetServerHostsExample: description: List of Fleet Server hosts value: items: - host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: true is_preconfigured: false name: Default Fleet Server page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Fleet Server hosts tags: - Fleet Server hosts x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postFleetServerHostRequestExample: description: Create a new Fleet Server host value: host_urls: - https://fleet-server.example.com:8220 is_default: false name: My Fleet Server schema: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls responses: '200': content: application/json: examples: postFleetServerHostExample: description: The created Fleet Server host value: item: host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-2 is_default: false is_preconfigured: false name: My Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana name: product_name /api/fleet/fleet_server_hosts/{itemId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: deleteFleetServerHostExample: description: The Fleet Server host was successfully deleted value: id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Delete a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-fleet-server-hosts-itemid parameters: - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: getFleetServerHostExample: description: A Fleet Server host value: item: host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: true is_preconfigured: false name: Default Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Get a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string requestBody: content: application/json: examples: putFleetServerHostRequestExample: description: Update a Fleet Server host value: host_urls: - https://updated-fleet-server.example.com:8220 is_default: false name: Updated Fleet Server schema: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array is_default: type: boolean is_internal: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - proxy_id responses: '200': content: application/json: examples: putFleetServerHostExample: description: The updated Fleet Server host value: item: host_urls: - https://updated-fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: false is_preconfigured: false name: Updated Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Update a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana name: product_name /api/fleet/health_check: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/health_check
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postHealthCheckRequestExample: description: Check the health of a Fleet Server instance by its host ID value: id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id responses: '200': content: application/json: examples: postHealthCheckHealthyExample: description: Fleet Server is online and healthy value: name: fleet-server-1 status: ONLINE postHealthCheckUnreachableExample: description: Fleet Server host is not reachable (request timed out or aborted) value: host_id: fleet-server-host-id-1 status: OFFLINE schema: additionalProperties: false type: object properties: host_id: type: string name: type: string status: type: string required: - status description: Successful health check response '400': content: application/json: examples: badRequestExample: description: The host ID exists but has no associated host URLs configured value: error: Bad Request message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: The requested host id fleet-server-host-id-1 does not exist. statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Check Fleet Server health tags: - Fleet internals x-metaTags: - content: Kibana name: product_name /api/fleet/kubernetes: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/kubernetes
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-kubernetes parameters: - description: If true, returns the manifest as a downloadable file in: query name: download required: false schema: type: boolean - description: Fleet Server host URL to include in the manifest in: query name: fleetServer required: false schema: type: string - description: Enrollment token to include in the manifest in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: examples: getK8sManifestExample: description: The Kubernetes manifest for deploying Elastic Agent value: item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: additionalProperties: false type: object properties: item: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a full K8s agent manifest tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/kubernetes/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/kubernetes/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-kubernetes-download parameters: - description: If true, returns the manifest as a downloadable file in: query name: download required: false schema: type: boolean - description: Fleet Server host URL to include in the manifest in: query name: fleetServer required: false schema: type: string - description: Enrollment token to include in the manifest in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: examples: getDownloadK8sManifestExample: description: The Kubernetes manifest download value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: type: string description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No manifest was found value: error: Not Found message: Agent manifest not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Download an agent manifest tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name /api/fleet/logstash_api_keys: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/logstash_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: postLogstashApiKeyExample: description: The generated Logstash API key value: api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: additionalProperties: false type: object properties: api_key: type: string required: - api_key description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Generate a Logstash API key tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name /api/fleet/message_signing_service/rotate_key_pair: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Set to true to confirm you understand the risks of rotating the key pair in: query name: acknowledge required: false schema: default: false type: boolean responses: '200': content: application/json: examples: rotateKeyPairSuccessExample: description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: message: type: string required: - message description: Key pair rotated successfully '400': content: application/json: examples: acknowledgeRequiredExample: description: Request was rejected because the acknowledge query parameter was not set to true value: error: Bad Request message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '500': content: application/json: examples: serviceUnavailableExample: description: The message signing service is not available value: error: Internal Server Error message: Failed to rotate key pair. Message signing service is unavailable! statusCode: 500 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Internal Server Error summary: Rotate a Fleet message signing key pair tags: - Message Signing Service x-metaTags: - content: Kibana name: product_name /api/fleet/outputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. operationId: get-fleet-outputs parameters: [] responses: '200': content: application/json: examples: getOutputsExample: description: List of Fleet outputs value: items: - hosts: - https://elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Default output type: elasticsearch page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get outputs tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postOutputRequestExample: description: Create a new Elasticsearch output value: hosts: - https://elasticsearch.example.com:9200 is_default: false is_default_monitoring: false name: My output type: elasticsearch schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: postOutputExample: description: The created Fleet output value: item: hosts: - https://elasticsearch.example.com:9200 id: output-id-2 is_default: false is_default_monitoring: false name: My output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create output tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name /api/fleet/outputs/{outputId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: deleteOutputExample: description: The output was successfully deleted value: id: output-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Delete output tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. operationId: get-fleet-outputs-outputid parameters: - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: getOutputExample: description: A Fleet output value: item: hosts: - https://elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 description: Not Found summary: Get output tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the output in: path name: outputId required: true schema: type: string requestBody: content: application/json: examples: putOutputRequestExample: description: Update a Fleet output value: hosts: - https://updated-elasticsearch.example.com:9200 name: Updated output schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: putOutputExample: description: The updated Fleet output value: item: hosts: - https://updated-elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Updated output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 description: Not Found summary: Update output tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name /api/fleet/outputs/{outputId}/health: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs/{outputId}/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-outputs-outputid-health parameters: - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: getOutputHealthExample: description: The latest health status of a Fleet output value: message: '' state: HEALTHY timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: message: description: long message if unhealthy type: string state: description: state of output, HEALTHY or DEGRADED type: string timestamp: description: timestamp of reported state type: string required: - state - message - timestamp description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get the latest output health tags: - Fleet outputs x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all package policies. operationId: get-fleet-package-policies parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: type: number - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - desc - asc type: string - description: When true, only show policies with available upgrades in: query name: showUpgradeable required: false schema: type: boolean - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string - description: When true, include the agent count per package policy in: query name: withAgentCount required: false schema: type: boolean responses: '200': content: application/json: examples: getPackagePoliciesExample: description: List of package policies value: items: - created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package policies tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new package policy and assign it to an agent policy. operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postPackagePolicyRequestExample: description: Create a new nginx package policy value: inputs: {} name: nginx-1 namespace: default package: name: nginx version: 1.20.0 policy_ids: - agent-policy-id-1 schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string description: description: Package policy description type: string enabled: type: boolean force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier type: string inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled maxItems: 1000 type: array is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - name - inputs - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Deprecated. Use policy_ids instead. nullable: true type: string policy_ids: description: IDs of the agent policies which that package policy will be added to. items: type: string maxItems: 1000 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: postPackagePolicyExample: description: The created package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-2 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictExample: description: A package policy with the same name already exists value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Create a package policy tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies/_bulk_get: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get multiple package policies by ID. operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postBulkGetPackagePoliciesRequestExample: description: Retrieve multiple package policies by ID value: ids: - package-policy-id-1 - package-policy-id-2 schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string maxItems: 1000 type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: examples: postBulkGetPackagePoliciesExample: description: The requested package policies value: items: - created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: One or more package policies were not found value: error: Not Found message: Package policy package-policy-id-2 not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Bulk get package policies tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies/{packagePolicyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: When true, delete the package policy even if it is managed in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackagePolicyExample: description: The package policy was successfully deleted value: id: package-policy-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package policy tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a package policy by ID. operationId: get-fleet-package-policies-packagepolicyid parameters: - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getPackagePolicyExample: description: A package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No package policy was found with the given ID value: error: Not Found message: Package policy package-policy-id-1 not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Get a package policy tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a package policy by ID. operationId: put-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: putPackagePolicyRequestExample: description: Update a package policy value: enabled: true inputs: {} name: nginx-1-updated namespace: default package: name: nginx version: 1.20.0 policy_ids: - agent-policy-id-1 schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string description: description: Package policy description type: string enabled: type: boolean force: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled maxItems: 1000 type: array is_managed: type: boolean name: type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object version: type: string - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Deprecated. Use policy_ids instead. nullable: true type: string policy_ids: description: IDs of the agent policies which that package policy will be added to. items: type: string maxItems: 1000 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package responses: '200': content: application/json: examples: putPackagePolicyExample: description: The updated package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1-updated namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T11:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '403': content: application/json: examples: forbiddenExample: description: The update is not authorized for this package value: error: Forbidden message: An error message describing what went wrong statusCode: 403 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Forbidden summary: Update a package policy tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies/delete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDeletePackagePoliciesRequestExample: description: Delete multiple package policies by ID value: packagePolicyIds: - package-policy-id-1 - package-policy-id-2 schema: additionalProperties: false type: object properties: force: type: boolean packagePolicyIds: items: type: string maxItems: 1000 type: array required: - packagePolicyIds responses: '200': content: application/json: examples: postDeletePackagePoliciesExample: description: Results of the bulk delete operation value: - id: package-policy-id-1 success: true - id: package-policy-id-2 success: true schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Use `policy_ids` instead nullable: true type: string policy_ids: items: type: string maxItems: 10000 type: array statusCode: type: number success: type: boolean required: - id - success - policy_ids - package maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk delete package policies tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies/upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postUpgradePackagePoliciesRequestExample: description: Upgrade package policies to the latest version value: packagePolicyIds: - package-policy-id-1 schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string maxItems: 1000 type: array required: - packagePolicyIds responses: '200': content: application/json: examples: postUpgradePackagePoliciesExample: description: Results of the upgrade operation value: - id: package-policy-id-1 name: nginx-1 success: true schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string statusCode: type: number success: type: boolean required: - id - success maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Upgrade a package policy tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/package_policies/upgrade/dryrun: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDryRunPackagePoliciesRequestExample: description: Dry run an upgrade of a package policy value: packagePolicyIds: - package-policy-id-1 schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string maxItems: 1000 type: array packageVersion: type: string required: - packagePolicyIds responses: '200': content: application/json: examples: postDryRunPackagePoliciesExample: description: Preview of the package policy upgrade diff value: - diff: - id: package-policy-id-1 name: nginx-1 package: name: nginx version: 1.20.0 - name: nginx-1 package: name: nginx version: 1.21.0 hasErrors: false name: nginx-1 schema: items: additionalProperties: false type: object properties: agent_diff: items: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version required: - package name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields maxItems: 10000 type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - data_stream maxItems: 10000 type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id maxItems: 10000 type: array maxItems: 1 type: array body: additionalProperties: false type: object properties: message: type: string required: - message diff: items: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - revision - updated_at - updated_by - created_at - created_by - additionalProperties: true type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean errors: items: additionalProperties: false type: object properties: key: type: string message: type: string required: - message maxItems: 10 type: array force: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: type: string inputs: items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array is_managed: type: boolean missingVars: items: type: string maxItems: 100 type: array name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object version: description: Package policy ES version. type: string required: - name - enabled - inputs maxItems: 2 type: array hasErrors: type: boolean name: type: string statusCode: type: number required: - hasErrors maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Dry run a package policy upgrade tags: - Fleet package policies x-metaTags: - content: Kibana name: product_name /api/fleet/proxies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-proxies parameters: [] responses: '200': content: application/json: examples: getFleetProxiesExample: description: List of Fleet proxies value: items: - id: proxy-id-1 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get proxies tags: - Fleet proxies x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postFleetProxyRequestExample: description: Create a new Fleet proxy value: name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - url - name responses: '200': content: application/json: examples: postFleetProxyExample: description: The created Fleet proxy value: item: id: proxy-id-2 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a proxy tags: - Fleet proxies x-metaTags: - content: Kibana name: product_name /api/fleet/proxies/{itemId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the proxy in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: deleteFleetProxyExample: description: The Fleet proxy was successfully deleted value: id: proxy-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Fleet proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Delete a proxy tags: - Fleet proxies x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-proxies-itemid parameters: - description: The ID of the proxy in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: getFleetProxyExample: description: A Fleet proxy value: item: id: proxy-id-1 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Fleet proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Get a proxy tags: - Fleet proxies x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the proxy in: path name: itemId required: true schema: type: string requestBody: content: application/json: examples: putFleetProxyRequestExample: description: Update a Fleet proxy value: name: Updated proxy url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - certificate_authorities - certificate - certificate_key responses: '200': content: application/json: examples: putFleetProxyExample: description: The updated Fleet proxy value: item: id: proxy-id-1 is_preconfigured: false name: Updated proxy url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Update a proxy tags: - Fleet proxies x-metaTags: - content: Kibana name: product_name /api/fleet/remote_synced_integrations/{outputId}/remote_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the synchronization status of remote integrations for a specific output by its ID.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. operationId: get-fleet-remote-synced-integrations-outputid-remote-status parameters: - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: getRemoteSyncedIntegrationsInfoExample: description: Synchronization status of remote integrations for a specific output value: integrations: - id: nginx-remote install_status: main: installed remote: installed package_name: nginx package_version: 1.20.0 sync_status: COMPLETED updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: custom_assets: additionalProperties: additionalProperties: false type: object properties: error: type: string is_deleted: type: boolean name: type: string package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string type: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - type - name - package_name - package_version - sync_status type: object error: type: string integrations: items: additionalProperties: false type: object properties: error: type: string id: type: string install_status: additionalProperties: false type: object properties: main: type: string remote: type: string required: - main package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string updated_at: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - sync_status - install_status maxItems: 10000 type: array warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - integrations description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get remote synced integrations status by outputId tags: - Fleet remote synced integrations x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/fleet/remote_synced_integrations/status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/remote_synced_integrations/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the synchronization status of all remote integrations across connected remote clusters.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. operationId: get-fleet-remote-synced-integrations-status parameters: [] responses: '200': content: application/json: examples: getRemoteSyncedIntegrationsStatusExample: description: Synchronization status of remote integrations across connected remote clusters value: integrations: - id: nginx-remote install_status: main: installed remote: installed package_name: nginx package_version: 1.20.0 sync_status: COMPLETED updated_at: '2024-01-01T00:00:00.000Z' - error: Failed to sync package to remote cluster id: system-remote install_status: main: installed remote: not_installed package_name: system package_version: 1.38.0 sync_status: FAILED updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: custom_assets: additionalProperties: additionalProperties: false type: object properties: error: type: string is_deleted: type: boolean name: type: string package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string type: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - type - name - package_name - package_version - sync_status type: object error: type: string integrations: items: additionalProperties: false type: object properties: error: type: string id: type: string install_status: additionalProperties: false type: object properties: main: type: string remote: type: string required: - main package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string updated_at: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - sync_status - install_status maxItems: 10000 type: array warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - integrations description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get remote synced integrations status tags: - Fleet remote synced integrations x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/fleet/service_tokens: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/service_tokens
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postGenerateServiceTokenRequestExample: description: Generate a service token for a remote Fleet Server value: remote: true schema: additionalProperties: false nullable: true type: object properties: remote: default: false type: boolean responses: '200': content: application/json: examples: postGenerateServiceTokenExample: description: The generated Fleet Server service token value: name: elastic/fleet-server/token-1234567890 value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: additionalProperties: false type: object properties: name: type: string value: type: string required: - name - value description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a service token tags: - Fleet service tokens x-metaTags: - content: Kibana name: product_name /api/fleet/settings: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-settings parameters: [] responses: '200': content: application/json: examples: getSettingsExample: description: The current Fleet settings value: item: delete_unenrolled_agents: enabled: false is_preconfigured: false has_seen_add_data_notice: true id: fleet-default-settings output_secret_storage_requirements_met: true prerelease_integrations_enabled: false secret_storage_requirements_met: true version: WzEsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: action_secret_storage_requirements_met: type: boolean delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured download_source_auth_secret_storage_requirements_met: type: boolean has_seen_add_data_notice: type: boolean id: type: string ilm_migration_status: additionalProperties: false type: object properties: logs: enum: - success nullable: true type: string metrics: enum: - success nullable: true type: string synthetics: enum: - success nullable: true type: string integration_knowledge_enabled: type: boolean output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string maxItems: 1 type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean ssl_secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: Fleet settings have not been initialized value: error: Not Found message: Settings not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Get settings tags: - Fleet internals x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: putSettingsRequestExample: description: Update Fleet settings to enable pre-release integrations value: prerelease_integrations_enabled: true schema: additionalProperties: false type: object properties: additional_yaml_config: deprecated: true type: string delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured has_seen_add_data_notice: deprecated: true type: boolean integration_knowledge_enabled: type: boolean kibana_ca_sha256: deprecated: true type: string kibana_urls: deprecated: true items: format: uri type: string maxItems: 10 type: array prerelease_integrations_enabled: type: boolean responses: '200': content: application/json: examples: putSettingsExample: description: The updated Fleet settings value: item: delete_unenrolled_agents: enabled: false is_preconfigured: false has_seen_add_data_notice: true id: fleet-default-settings output_secret_storage_requirements_met: true prerelease_integrations_enabled: true secret_storage_requirements_met: true version: WzIsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: action_secret_storage_requirements_met: type: boolean delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured download_source_auth_secret_storage_requirements_met: type: boolean has_seen_add_data_notice: type: boolean id: type: string ilm_migration_status: additionalProperties: false type: object properties: logs: enum: - success nullable: true type: string metrics: enum: - success nullable: true type: string synthetics: enum: - success nullable: true type: string integration_knowledge_enabled: type: boolean output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string maxItems: 1 type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean ssl_secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: Fleet settings have not been initialized value: error: Not Found message: Settings not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Update settings tags: - Fleet internals x-metaTags: - content: Kibana name: product_name /api/fleet/setup: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: fleetSetupSuccessExample: description: Fleet initialized successfully with no non-fatal errors value: isInitialized: true nonFatalErrors: [] fleetSetupWithNonFatalErrorsExample: description: Fleet initialized but encountered non-fatal errors during setup value: isInitialized: true nonFatalErrors: - message: Package fleet_server not found in registry name: PackageNotFoundError schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message maxItems: 10000 type: array required: - isInitialized - nonFatalErrors description: Fleet setup completed '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '500': content: application/json: examples: internalErrorResponseExample: description: Example of an internal server error response value: error: Internal Server Error message: An error message describing what went wrong statusCode: 500 schema: additionalProperties: false description: Internal Server Error type: object properties: message: type: string required: - message description: Internal Server Error summary: Initiate Fleet setup tags: - Fleet internals x-metaTags: - content: Kibana name: product_name /api/fleet/space_settings: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the Fleet settings for the current Kibana space. operationId: get-fleet-space-settings parameters: [] responses: '200': content: application/json: examples: getSpaceSettingsExample: description: The Fleet settings for the current Kibana space value: item: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 100 type: array managed_by: type: string required: - allowed_namespace_prefixes required: - item description: Successful response summary: Get space settings tags: [] x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-space-settings parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: putSpaceSettingsRequestExample: description: Update allowed namespace prefixes for the current Kibana space value: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 10 type: array responses: '200': content: application/json: examples: putSpaceSettingsExample: description: The updated Fleet settings for the current Kibana space value: item: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 100 type: array managed_by: type: string required: - allowed_namespace_prefixes required: - item description: Successful response summary: Create space settings tags: [] x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/fleet/uninstall_tokens: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/uninstall_tokens
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs in: query name: policyId required: false schema: maxLength: 50 type: string - description: Partial match filtering for uninstall token values in: query name: search required: false schema: maxLength: 50 type: string - description: The number of items to return in: query name: perPage required: false schema: minimum: 5 type: number - description: Page number in: query name: page required: false schema: minimum: 1 type: number responses: '200': content: application/json: examples: getUninstallTokensExample: description: List of uninstall token metadata for agent policies value: items: - created_at: '2024-01-01T00:00:00.000Z' id: token-id-1 namespaces: - default policy_id: policy-id-1 policy_name: Default policy - created_at: '2024-01-02T00:00:00.000Z' id: token-id-2 namespaces: - production policy_id: policy-id-2 policy_name: Production policy page: 1 perPage: 20 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string maxItems: 100 type: array policy_id: type: string policy_name: nullable: true type: string required: - id - policy_id - created_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: conflictingQueryParamsExample: description: Both policyId and search query parameters were provided value: error: Bad Request message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get metadata for latest uninstall tokens tags: - Fleet uninstall tokens x-metaTags: - content: Kibana name: product_name /api/fleet/uninstall_tokens/{uninstallTokenId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - description: The ID of the uninstall token in: path name: uninstallTokenId required: true schema: type: string responses: '200': content: application/json: examples: getUninstallTokenExample: description: Decrypted uninstall token for an agent policy value: item: created_at: '2024-01-01T00:00:00.000Z' id: token-id-1 namespaces: - default policy_id: policy-id-1 policy_name: Default policy token: CKHJsJcBqNwIRcRBNDaE schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string maxItems: 100 type: array policy_id: type: string policy_name: nullable: true type: string token: type: string required: - id - policy_id - created_at - token required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No uninstall token was found with the given ID value: error: Not Found message: Uninstall Token not found with ID token-id-1 statusCode: 404 description: Not Found summary: Get a decrypted uninstall token tags: - Fleet uninstall tokens x-metaTags: - content: Kibana name: product_name /api/lists: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a value list using the list ID. > info > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Determines whether exception items referencing this value list should be deleted. in: query name: deleteReferences required: false schema: default: false example: false type: boolean - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. in: query name: ignoreReferences required: false schema: default: false example: false type: boolean responses: '200': content: application/json: examples: ipList: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: List of bad internet ips. id: 21b01cfb-058d-44b9-838c-282be16c91cd immutable: false name: Bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"ip_list\" was not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list tags: - Security Lists API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a value list using the list ID. operationId: ReadList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: My bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list details tags: - Security Lists API x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing list using the list `id`. operationId: PatchList requestBody: content: application/json: schema: example: id: ip_list name: Bad ips list - UPDATED type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Bad ips list - UPDATED tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list tags: - Security Lists API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new value list. operationId: CreateList requestBody: content: application/json: examples: ip: value: description: This list describes bad internet ips id: ip_list name: Simple list with ips type: ip ip_range: value: description: This list has ip ranges id: ip_range_list name: Simple list with ip ranges type: ip_range keyword: value: description: This list describes bad host names id: keyword_list name: Simple list with a keyword type: keyword keyword_custom_format: value: description: This parses the first found ipv4 only id: keyword_custom_format_list name: Simple list with a keyword using a custom format type: keyword schema: type: object properties: description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' type: $ref: '#/components/schemas/Security_Lists_API_ListType' version: default: 1 minimum: 1 type: integer required: - name - description - type description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Simple list with ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 ip_range: value: _version: WzAsMV0= '@timestamp': '2025-01-09T18:23:52.241Z' created_at: '2025-01-09T18:23:52.241Z' created_by: elastic description: This list has ip ranges id: ip_range_list immutable: false name: Simple list with ip ranges tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 type: ip_range updated_at: '2025-01-09T18:23:52.241Z' updated_by: elastic version: 1 keyword: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:24:55.786Z' created_at: '2025-01-09T18:24:55.786Z' created_by: elastic description: This list describes bad host names id: keyword_list immutable: false name: Simple list with a keyword tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 type: keyword updated_at: '2025-01-09T18:24:55.786Z' updated_by: elastic version: 1 keyword_custom_format: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:25:39.604Z' created_at: '2025-01-09T18:25:39.604Z' created_by: elastic description: This parses the first found ipv4 only id: keyword_custom_format_list immutable: false name: Simple list with a keyword using a custom format tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 type: keyword updated_at: '2025-01-09T18:25:39.604Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: notFound: value: message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list id: "keyword_custom_format_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list tags: - Security Lists API x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateList requestBody: content: application/json: schema: example: description: Latest list of bad ips id: ip_list name: Bad ips - updated type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - name - description description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: Latest list of bad ips id: ip_list immutable: false name: Bad ips - updated tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. operationId: FindLists parameters: - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of value lists to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: ipList: value: cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - _version: WzAsMV0= '@timestamp': | 2025-01-08T04:47:34.273Z created_at: | 2025-01-08T04:47:34.273Z created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: | 2025-01-08T04:47:34.273Z updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_List' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value lists tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/index: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete the `.lists` and `.items` data streams. operationId: DeleteListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete value list data streams tags: - Security Lists API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Verify that `.lists` and `.items` data streams exist. operationId: ReadListIndex responses: '200': content: application/json: schema: type: object properties: list_index: type: boolean list_item_index: type: boolean required: - list_index - list_item_index description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get status of value list data streams tags: - Security Lists API x-metaTags: - content: Kibana name: product_name post: deprecated: true description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create `.lists` and `.items` data streams in the relevant space. operationId: CreateListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: | [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'data stream: \".lists-default\" and \".items-default\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create list data streams tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a value list item using its `id`, or its `list_id` and `value` fields. operationId: DeleteListItem parameters: - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListItemId' - description: Value list's identifier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 255.255.255.255 type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: default: 'false' enum: - 'true' - 'false' - wait_for example: false type: string responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list item tags: - Security Lists API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a value list item. operationId: ReadListItem parameters: - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 127.0.0.2 type: string responses: '200': content: application/json: examples: ip: value: _version: WzExLDFd '@timestamp': '2025-01-08T05:16:25.882Z' created_at: '2025-01-08T05:16:25.882Z' created_by: elastic id: qN1XRJQBs4HAK3VQs3Gc list_id: ip_list tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 type: ip updated_at: '2025-01-08T05:16:25.882Z' updated_by: elastic value: 127.0.0.2 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get a value list item tags: - Security Lists API x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing value list item using the item `id`. operationId: PatchListItem requestBody: content: application/json: schema: example: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id description: Value list item's properties required: true responses: '200': content: application/json: examples: ipItem: value: _version: WzE5LDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:23:37.602Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list item tags: - Security Lists API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a value list item and associate it with the specified value list. All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. > info > Before creating a list item, you must create a list. operationId: CreateListItem requestBody: content: application/json: examples: ip: value: list_id: ip_list value: 127.0.0.1 ip_range: value: list_id: ip_range_list value: 192.168.0.0/16 keyword: value: list_id: keyword_list value: zeek schema: type: object properties: id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for example: wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - list_id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 ip_range: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:33:08.202Z' created_at: '2025-01-09T18:33:08.202Z' created_by: elastic id: ip_range_item list_id: ip_range_list tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 type: ip_range updated_at: '2025-01-09T18:33:08.202Z' updated_by: elastic value: 192.168.0.0/16 keyword: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:34:29.422Z' created_at: '2025-01-09T18:34:29.422Z' created_by: elastic id: 7f24737d-1da8-4626-a568-33070591bb4e list_id: keyword_list tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 type: keyword updated_at: '2025-01-09T18:34:29.422Z' updated_by: elastic value: zeek schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: listNotFound: value: message: 'list id: \"ip_list\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list item id: \"ip_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list item tags: - Security Lists API x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateListItem requestBody: content: application/json: example: id: ip_item value: 255.255.255.255 schema: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list item tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/items/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export list item values from the specified value list. operationId: ExportListItems parameters: - description: Value list's `id` to export. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/ndjson: schema: description: A `.txt` file containing list items from the specified list example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Export value list items tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get all value list items in the specified list. operationId: FindListItems parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of list items to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: value format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: ip: value: cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d data: - _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request query]: list_id: Required' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list items tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/items/_import: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. You can import items to a new or existing list. operationId: ImportListItems parameters: - description: | List's id. Required when importing to an existing list. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: | Type of the importing list. Required when importing a new list whose list `id` is not specified. examples: ip: value: ip in: query name: type required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListType' - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: enum: - 'true' - 'false' - wait_for example: true type: string requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.txt` or `.csv` file containing newline separated list items. example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: message: Either type or list_id need to be defined in the query status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Import value list items tags: - Security Lists API x-metaTags: - content: Kibana name: product_name /api/lists/privileges: get: operationId: ReadListPrivileges responses: '200': content: application/json: examples: privileges: value: is_authenticated: true listItems: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .items-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic lists: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .lists-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic schema: type: object properties: is_authenticated: type: boolean listItems: $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' lists: $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' required: - lists - listItems - is_authenticated description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list privileges tags: - Security Lists API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/logstash/pipeline/{id}: delete: description: | Delete a centrally-managed Logstash pipeline. If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: delete-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call summary: Delete a Logstash pipeline tags: - logstash x-state: Technical Preview x-metaTags: - content: Kibana name: product_name get: description: | Get information for a centrally-managed Logstash pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: get-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getLogstashPipelineResponseExample1: value: |- { "id": "hello-world", "description": "Just a simple pipeline", "username": "elastic", "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persistent" } } schema: type: object description: Indicates a successful call summary: Get a Logstash pipeline tags: - logstash x-state: Technical Preview x-metaTags: - content: Kibana name: product_name put: description: | Create a centrally-managed Logstash pipeline or update a pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: put-logstash-pipeline parameters: - description: | An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putLogstashPipelineRequestExample1: value: |- { "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persisted" } } schema: type: object properties: description: description: A description of the pipeline. type: string pipeline: description: A definition for the pipeline. type: string settings: description: | Supported settings, represented as object keys, include the following: - `pipeline.workers` - `pipeline.batch.size` - `pipeline.batch.delay` - `pipeline.ecs_compatibility` - `pipeline.ordered` - `queue.type` - `queue.max_bytes` - `queue.checkpoint.writes` type: object required: - pipeline responses: '204': description: Indicates a successful call summary: Create or update a Logstash pipeline tags: - logstash x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/logstash/pipelines: get: description: | Get a list of all centrally-managed Logstash pipelines. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. > info > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: get-logstash-pipelines responses: '200': content: application/json: examples: getLogstashPipelinesResponseExample1: value: |- { "pipelines": [ { "id": "hello-world", "description": "Just a simple pipeline", "last_modified": "2018-04-14T12:23:29.772Z", "username": "elastic" }, { "id": "sleepy-pipeline", "description": "", "last_modified": "2018-03-24T03:41:30.554Z" } ] } schema: type: object description: Indicates a successful call summary: Get all Logstash pipelines tags: - logstash x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/maintenance_window: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string required: - title - schedule responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Create a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/maintenance_window/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/maintenance_window/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: read-maintenance-window. operationId: get-maintenance-window-find parameters: - description: The title of the maintenance window. in: query name: title required: false schema: type: string - description: The user who created the maintenance window. in: query name: created_by required: false schema: type: string - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". in: query name: status required: false schema: items: enum: - running - finished - upcoming - archived - disabled type: string type: array - description: The page number to return. in: query name: page required: false schema: default: 1 maximum: 100 minimum: 1 type: number - description: The number of maintenance windows to return per page. in: query name: per_page required: false schema: default: 10 maximum: 100 minimum: 1 type: number responses: '200': content: application/json: schema: additionalProperties: false type: object properties: maintenanceWindows: items: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule type: array page: type: number per_page: type: number total: type: number required: - page - per_page - total - maintenanceWindows description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Search for a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/maintenance_window/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be deleted. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Delete a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: read-maintenance-window. operationId: get-maintenance-window-id parameters: - description: The identifier for the maintenance window. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Get maintenance window details. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: patch-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. '409': description: Indicates that the maintenance window has already been updated by another user. summary: Update a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/maintenance_window/{id}/_archive: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window/{id}/_archive
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window-id-archive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be archived. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Archive a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/maintenance_window/{id}/_unarchive: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be unarchived. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Unarchive a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/ml/saved_objects/sync: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/ml/saved_objects/sync
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. operationId: mlSync parameters: - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' responses: '200': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' description: Indicates a successful call '401': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' description: Authorization information is missing or invalid. summary: Sync saved objects in the default space tags: - ml x-metaTags: - content: Kibana name: product_name /api/ml/saved_objects/update_jobs_spaces: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a list of jobs to add and/or remove them from given spaces. operationId: mlUpdateJobsSpaces requestBody: content: application/json: examples: updateADJobSpacesRequest: value: jobIds: - test-job jobType: anomaly-detector spacesToAdd: - default spacesToRemove: - '*' updateDFAJobSpacesRequest: value: jobIds: - test-job jobType: data-frame-analytics spacesToAdd: - default spacesToRemove: - '*' responses: '200': content: application/json: examples: successADResponse: value: test-job: success: true type: anomaly-detector successDFAResponse: value: test-job: success: true type: data-frame-analytics description: Indicates a successful call summary: Update jobs spaces tags: - ml x-metaTags: - content: Kibana name: product_name /api/ml/saved_objects/update_trained_models_spaces: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a list of trained models to add and/or remove them from given spaces. operationId: mlUpdateTrainedModelsSpaces requestBody: content: application/json: examples: updateTrainedModelsSpacesRequest: value: modelIds: - test-model spacesToAdd: - default spacesToRemove: - '*' responses: '200': content: application/json: examples: successTMResponse: value: test-model: success: true type: trained-model" description: Indicates a successful call summary: Update trained models spaces tags: - ml x-metaTags: - content: Kibana name: product_name /api/note: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. The response has HTTP 200 with an empty body on success. Requires the **Timeline and Notes** write privilege (`notes_write`). operationId: DeleteNote requestBody: content: application/json: schema: oneOf: - nullable: true type: object properties: noteId: description: Saved object ID of the note to delete. type: string required: - noteId - nullable: true type: object properties: noteIds: description: Saved object IDs of the notes to delete. items: type: string nullable: true type: array required: - noteIds description: | Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. required: true responses: '200': description: The notes were deleted successfully. Response body is empty. summary: Delete one or more notes tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns Security Timeline notes as saved objects. **Query modes (mutually exclusive branches on the server):** 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. Requires the **Timeline and Notes** read privilege (`notes_read`). operationId: GetNotes parameters: - description: | Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. examples: multiple: summary: Multiple document ids (array) value: - id-one - id-two single: summary: Single document id value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b in: query name: documentIds schema: $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - description: | Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. examples: singleTimeline: summary: Single timeline id value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e in: query name: savedObjectIds schema: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - description: | Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. example: '1' in: query name: page schema: nullable: true type: string - description: | Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. example: '20' in: query name: perPage schema: nullable: true type: string - description: Search string for saved-objects find (list mode only). in: query name: search schema: nullable: true type: string - description: Field to sort by for saved-objects find (list mode only). in: query name: sortField schema: nullable: true type: string - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). example: desc in: query name: sortOrder schema: nullable: true type: string - description: | Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). in: query name: filter schema: nullable: true type: string - description: | Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 in: query name: createdByFilter schema: nullable: true type: string - description: | Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. in: query name: associatedFilter schema: $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' description: Notes and total count for the requested mode. summary: Get notes tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new note or updates an existing one. **Create:** Send `note` and omit `noteId` to create a new saved object. **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. Requires the **Timeline and Notes** write privilege (`notes_write`). externalDocs: description: Add or update a note on a Timeline url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html operationId: PersistNoteRoute requestBody: content: application/json: schema: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_BareNote' description: Note payload (timeline, text, optional event linkage, metadata). noteId: description: The `savedObjectId` of the note to update. Omit when creating a new note. example: 709f99c6-89b6-4953-9160-35945c8e174e nullable: true type: string version: description: Saved object version string from a previous read; optional on update. example: WzQ2LDFd nullable: true type: string required: - note description: | Body must include the `note` object. For updates, include `noteId` (and optionally `version`). To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' description: The persisted note, including `noteId` and `version`. summary: Add or update a note tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/observability_ai_assistant/chat/complete: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/observability_ai_assistant/chat/complete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new chat completion by using the Observability AI Assistant. The API returns the model's response based on the current conversation context. It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: observability-ai-assistant-chat-complete requestBody: content: application/json: examples: chatCompleteRequestExample: $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' schema: type: object properties: actions: items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' type: array connectorId: description: A unique identifier for the connector. type: string conversationId: description: A unique identifier for the conversation if you are continuing an existing conversation. type: string disableFunctions: description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. type: boolean instructions: description: An array of instruction objects, which can be either simple strings or detailed objects. items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' type: array messages: description: An array of message objects containing the conversation history. items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' type: array persist: description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. type: boolean title: description: A title for the conversation. type: string required: - messages - connectorId - persist responses: '200': content: application/json: examples: chatCompleteResponseExample: $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: type: object description: Successful response summary: Generate a chat completion tags: - observability_ai_assistant x-codeSamples: - lang: cURL source: | curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' { "connectorId": "", "disableFunctions": false, "messages": [ { "@timestamp": "2025-06-25T23:45:00.000Z", "message": { "role": "user", "content": "Is my Elasticsearch cluster healthy right now?" } } ], "persist": false, "actions": [ { "name": "get_cluster_health", "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", "parameters": { "type": "object", "properties": { "includeShardStats": { "type": "boolean", "default": false } } } } ], "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] }' x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/osquery/live_queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all live queries. operationId: OsqueryFindLiveQueries parameters: - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' description: OK summary: Get live queries tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create and run a live query. operationId: OsqueryCreateLiveQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' description: OK summary: Create a live query tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/live_queries/{id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a live query using the query ID. operationId: OsqueryGetLiveQueryDetails parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' description: OK summary: Get live query details tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/live_queries/{id}/results/{actionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the results of a live query using the query action ID. operationId: OsqueryGetLiveQueryResults parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string - in: path name: actionId required: true schema: description: The ID of the query action that generated the live query results. example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' description: OK summary: Get live query results tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/packs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all query packs. operationId: OsqueryFindPacks parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' description: OK summary: Get packs tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a query pack. operationId: OsqueryCreatePacks requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' description: OK summary: Create a pack tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/packs/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a query pack using the pack ID. operationId: OsqueryDeletePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: example: {} type: object properties: {} description: OK summary: Delete a pack tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a query pack using the pack ID. operationId: OsqueryGetPacksDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' description: OK summary: Get pack details tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a query pack using the pack ID. > info > You cannot update a prebuilt pack. operationId: OsqueryUpdatePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' description: OK summary: Update a pack tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/saved_queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all saved queries. operationId: OsqueryFindSavedQueries parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' description: OK summary: Get saved queries tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create and run a saved query. operationId: OsqueryCreateSavedQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' description: OK summary: Create a saved query tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/osquery/saved_queries/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a saved query using the query ID. operationId: OsqueryDeleteSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' description: OK summary: Delete a saved query tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a saved query using the query ID. operationId: OsqueryGetSavedQueryDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' description: OK summary: Get saved query details tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a saved query using the query ID. > info > You cannot update a prebuilt saved query. operationId: OsqueryUpdateSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' description: OK summary: Update a saved query tags: - Security Osquery API x-metaTags: - content: Kibana name: product_name /api/pinned_event: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/pinned_event
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Pin/unpin an event to/from an existing Timeline. operationId: PersistPinnedEventRoute requestBody: content: application/json: schema: type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string pinnedEventId: description: The `savedObjectId` of the pinned event you want to unpin. example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 nullable: true type: string timelineId: description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId description: The pinned event to add or unpin, along with additional metadata. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' description: Indicates the event was successfully pinned to or unpinned from the Timeline. summary: Pin/unpin an event tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/risk_score/engine/dangerously_delete_data: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cleaning up the the Risk Engine by removing the indices, mapping and transforms operationId: CleanUpRiskEngine responses: '200': content: application/json: schema: type: object properties: cleanup_successful: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' description: Unexpected error summary: Cleanup the Risk Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/risk_score/engine/saved_object/configure: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Configuring the Risk Engine Saved Object operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: schema: type: object properties: enable_reset_to_zero: type: boolean exclude_alert_statuses: items: type: string type: array exclude_alert_tags: items: type: string type: array filters: items: type: object properties: entity_types: items: enum: - host - user - service type: string type: array filter: description: KQL filter string type: string required: - entity_types - filter type: array page_size: description: | Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). maximum: 10000 minimum: 100 type: integer range: type: object properties: end: type: string start: type: string required: true responses: '200': content: application/json: schema: type: object properties: risk_engine_saved_object_configured: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' description: Unexpected error summary: Configure the Risk Engine Saved Object tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/risk_score/engine/schedule_now: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/risk_score/engine/schedule_now
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. operationId: ScheduleRiskEngineNow requestBody: content: application/json: {} responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' description: Unexpected error summary: Run the risk scoring engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana name: product_name /api/saved_objects/_bulk_create: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_bulk_create
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create multiple Kibana saved objects. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. operationId: bulkCreateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: When true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: items: type: object properties: coreMigrationVersion: description: | The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string typeMigrationVersion: description: | The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Create saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_bulk_delete: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_bulk_delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. WARNING: When you delete a saved object, it cannot be recovered. WARNING: This API is intended to be removed in a future Elastic stack version. There is currently no alternative API for all use cases supported by this API. Once alternative APIs are provided in a future Elastic version, it will be possible to migrate away from this API. operationId: bulkDeleteSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. in: query name: force schema: type: boolean requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Delete saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_bulk_get: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple Kibana saved objects by identifier. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. operationId: bulkGetSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Get saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_bulk_resolve: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_bulk_resolve
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. operationId: bulkResolveSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Resolve saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_bulk_update: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_bulk_update
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the attributes for multiple Kibana saved objects. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. operationId: bulkUpdateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Update saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: exportSavedObjectsRequest: summary: Export a specific saved object. value: excludeExportDetails: true includeReferencesDeep: false objects: - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 type: map schema: additionalProperties: false type: object properties: excludeExportDetails: default: false description: Do not add export details entry at the end of the stream. type: boolean hasReference: anyOf: - additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id - items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 100 type: array includeReferencesDeep: default: false description: Includes all of the referenced objects in the exported objects. type: boolean objects: description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 10000 type: array search: description: Search for documents to export using the Elasticsearch Simple Query String syntax. type: string type: anyOf: - type: string - items: type: string maxItems: 100 type: array description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. responses: '200': content: application/x-ndjson: examples: exportSavedObjectsResponse: summary: The export objects API response contains a JSON record for each exported object. value: attributes: description: '' layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' title: '[Logs] Total Requests and Bytes' uiStateJSON: '{"isDarkMode":false}' coreMigrationVersion: 8.8.0 created_at: '2023-08-23T20:03:32.204Z' id: de71f4f0-1902-11e9-919b-ffe5949a18d2 managed: false references: - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_1_join_0_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_2_source_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_3_source_index_pattern type: index-pattern type: map typeMigrationVersion: 8.4.0 updated_at: '2023-08-23T20:03:32.204Z' version: WzEzLDFd schema: {} description: Indicates a successfull call. '400': content: application/json: schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Export saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_find: get: deprecated: true description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/saved_objects/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated set of Kibana saved objects. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. operationId: findSavedObjects parameters: - description: | An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. in: query name: aggs schema: type: string - description: The default operator to use for the `simple_query_string`. in: query name: default_search_operator schema: type: string - description: The fields to return in the attributes key of the response. in: query name: fields schema: oneOf: - type: string - type: array - description: | The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. in: query name: filter schema: type: string - description: Filters to objects that do not have a relationship with the type and identifier combination. in: query name: has_no_reference schema: type: object - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_no_reference_operator schema: type: string - description: Filters to objects that have a relationship with the type and ID combination. in: query name: has_reference schema: type: object - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_reference_operator schema: type: string - description: The page of objects to return. in: query name: page schema: type: integer - description: The number of objects to return per page. in: query name: per_page schema: type: integer - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. in: query name: search schema: type: string - description: The fields to perform the `simple_query_string` parsed query against. in: query name: search_fields schema: oneOf: - type: string - type: array - description: | Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. in: query name: sort_field schema: type: string - description: The saved object types to include. in: query name: type required: true schema: oneOf: - type: string - type: array responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Search for saved objects tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. operationId: post-saved-objects-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: overwrite required: false schema: default: false type: boolean - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' in: query name: createNewCopies required: false schema: default: false type: boolean - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: compatibilityMode required: false schema: default: false type: boolean requestBody: content: multipart/form-data: examples: importObjectsRequest: value: file: file.ndjson schema: additionalProperties: false type: object properties: file: description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' type: object required: - file responses: '200': content: application/json: examples: importObjectsResponse: summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. value: success: true successCount: 1 successResults: - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 id: 90943e30-9a47-11e8-b64d-95841ca0b247 managed: false meta: icon: indexPatternApp title: Kibana Sample Data Logs type: index-pattern schema: additionalProperties: false type: object properties: errors: description: |- Indicates the import was unsuccessful and specifies the objects that failed to import. NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. items: additionalProperties: true type: object properties: {} type: array success: description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: Indicates the number of successfully imported records. type: number successResults: description: |- Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. items: additionalProperties: true type: object properties: {} type: array required: - success - successCount - errors - successResults description: Indicates a successful call. '400': content: application/json: schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Import saved objects tags: - saved objects x-codeSamples: - label: Import with createNewCopies lang: cURL source: | curl \ -X POST api/saved_objects/_import?createNewCopies=true -H "kbn-xsrf: true" --form file=@file.ndjson x-metaTags: - content: Kibana name: product_name /api/saved_objects/_resolve_import_errors: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_resolve_import_errors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. To resolve errors from the Import objects API, you can: * Retry certain saved objects * Overwrite specific saved objects * Change references to different saved objects operationId: resolveImportErrors parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. in: query name: compatibilityMode required: false schema: type: boolean - description: | Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. in: query name: createNewCopies required: false schema: type: boolean requestBody: content: multipart/form-data: examples: resolveImportErrorsRequest: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' schema: type: object properties: file: description: The same file given to the import API. format: binary type: string retries: description: The retry operations, which can specify how to resolve different types of errors. items: type: object properties: destinationId: description: Specifies the destination ID that the imported object should have, if different from the current ID. type: string id: description: The saved object ID. type: string ignoreMissingReferences: description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. type: boolean overwrite: description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. type: boolean replaceReferences: description: A list of `type`, `from`, and `to` used to change the object references. items: type: object properties: from: type: string to: type: string type: type: string type: array type: description: The saved object type. type: string required: - type - id type: array required: - retries required: true responses: '200': content: application/json: examples: resolveImportErrorsResponse: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' schema: type: object properties: errors: description: | Specifies the objects that failed to resolve. NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. items: type: object type: array success: description: | Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: | Indicates the number of successfully resolved records. type: number successResults: description: | Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve import errors tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/{type}: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/{type}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Kibana saved object with a randomly generated identifier. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. operationId: createSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' coreMigrationVersion: description: | The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_references' typeMigrationVersion: description: | The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/{type}/{id}: get: deprecated: true description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single Kibana saved object by identifier. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. operationId: getSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Get a saved object tags: - saved objects x-metaTags: - content: Kibana name: product_name post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. NOTE: For forward compatibility, include `coreMigrationVersion` and `typeMigrationVersion` when creating saved objects outside of Kibana or when persisting raw saved objects outside of Kibana. operationId: createSavedObjectId parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' coreMigrationVersion: description: | The Kibana version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_references' typeMigrationVersion: description: | The type version that last migrated this document. When creating saved objects outside of Kibana, preserve this field to retain forward compatibility. type: string required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects x-metaTags: - content: Kibana name: product_name put: deprecated: true description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the attributes for Kibana saved objects. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the import API for your use case. operationId: updateSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' requestBody: content: application/json: schema: type: object required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '404': content: application/json: schema: type: object description: Indicates the object was not found. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Update a saved object tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/saved_objects/resolve/{type}/{id}: get: deprecated: true description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. WARNING: This API is intended to be removed in a future Elastic stack version. Consider using the export API for your use case. operationId: resolveSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve a saved object tags: - saved objects x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/anonymization_fields/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: schema: example: create: - allowed: true anonymized: false field: host.name - allowed: false anonymized: true field: user.name delete: ids: - field5 - field6 query: 'field: host.name' update: - allowed: true anonymized: false id: field8 - allowed: false anonymized: true id: field9 type: object properties: create: description: Array of anonymization fields to create. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' type: array delete: description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: Array of anonymization fields to update. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array responses: '200': content: application/json: example: anonymization_fields_count: 5 attributes: results: created: - allowed: false anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: host.name id: field2 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 deleted: - field3 skipped: - id: field4 name: user.name skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED updated: - allowed: true anonymized: false createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: url.domain id: field8 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 summary: failed: 1 skipped: 1 succeeded: 2 total: 5 message: Bulk action completed successfully status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request body statusCode: 400 schema: type: object properties: error: description: Error type or name. type: string message: description: Detailed error message. type: string statusCode: description: Status code of the response. type: number description: Generic Error summary: Apply a bulk action to anonymization fields tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/anonymization_fields/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all anonymization fields. operationId: FindAnonymizationFields parameters: - description: Fields to return example: - id - field - anonymized - allowed in: query name: fields required: false schema: items: type: string type: array - description: Search query example: 'field: "user.name"' in: query name: filter required: false schema: type: string - description: Field to sort by example: created_at in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - description: Sort order example: asc in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number example: 1 in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: AnonymizationFields per page example: 20 in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page in: query name: all_data required: false schema: type: boolean responses: '200': content: application/json: example: aggregations: anonymized: buckets: allowed: doc_count: 1 anonymized: doc_count: 1 denied: doc_count: 1 all: - allowed: true anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: user.name id: '1' namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 data: - allowed: true anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: user.name id: '1' namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 page: 1 perPage: 20 total: 100 schema: type: object properties: aggregations: type: object properties: field_status: type: object properties: buckets: type: object properties: allowed: type: object properties: doc_count: default: 0 type: integer anonymized: type: object properties: doc_count: default: 0 type: integer denied: type: object properties: doc_count: default: 0 type: integer all: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: example: error: Bad Request message: Invalid request parameters statusCode: 400 schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get anonymization fields tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/chat/complete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/chat/complete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a model response for the given chat conversation. operationId: ChatComplete parameters: - description: If true, the response will not include content references. example: false in: query name: content_references_disabled required: false schema: default: false type: boolean requestBody: content: application/json: example: connectorId: conn-001 conversationId: abc123 isStream: true langSmithApiKey: sk-abc123 langSmithProject: security_ai_project messages: - content: What are some common phishing techniques? data: user_id: user_789 fields_to_anonymize: - user.name - source.ip role: user model: gpt-4 persist: true promptId: prompt_456 responseLanguage: en schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' required: true responses: '200': content: application/octet-stream: schema: format: binary type: string description: Indicates a successful model response call. '400': content: application/json: schema: type: object properties: error: description: Error type. example: Bad Request type: string message: description: Human-readable error message. example: Invalid request payload. type: string statusCode: description: HTTP status code. example: 400 type: number description: Generic Error summary: Create a model response tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/current_user/conversations: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. This endpoint allows users to permanently delete all conversations. operationId: DeleteAllConversations requestBody: content: application/json: schema: type: object properties: excludedIds: description: Optional list of conversation IDs to delete. example: - abc123 - def456 items: type: string type: array required: false responses: '200': content: application/json: example: success: true schema: type: object properties: failures: items: type: string type: array success: example: true type: boolean totalDeleted: example: 10 type: number description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request. summary: Delete conversations tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. operationId: CreateConversation requestBody: content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant excludeFromLastConversationStorage: false messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' required: true responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required parameter: title' type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. summary: Create a conversation tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/current_user/conversations/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. operationId: FindConversations parameters: - description: A list of fields to include in the response. If omitted, all fields are returned. in: query name: fields required: false schema: example: - id - title - createdAt items: type: string type: array - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. in: query name: filter required: false schema: example: Security Issue type: string - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' example: created_at - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: desc - description: The page number of the results to retrieve. Default is 1. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: The number of conversations to return per page. Default is 20. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. in: query name: is_owner required: false schema: default: false example: true type: boolean responses: '200': content: application/json: schema: type: object properties: data: description: A list of conversations. items: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array page: description: The current page of the results. example: 1 type: integer perPage: description: The number of results returned per page. example: 20 type: integer total: description: The total number of conversations matching the filter criteria. example: 100 type: integer required: - page - perPage - total - data description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid filter query parameter type: string statusCode: example: 400 type: number description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. summary: Get conversations tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/current_user/conversations/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. operationId: DeleteConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: The conversation has been deleted. role: system timestamp: '2023-10-31T12:35:00Z' replacements: {} title: Deleted Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request. summary: Delete a conversation tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. operationId: ReadConversation parameters: - description: The conversation's `id` value, a unique identifier for the conversation. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation details are returned. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. The request could not be processed due to an error. summary: Get a conversation tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. operationId: UpdateConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: example: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights excludeFromLastConversationStorage: true messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' replacements: {} title: Updated Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: example: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: true id: abc123 messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' replacements: {} title: Updated Security Discussion updatedAt: '2023-10-31T12:31:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required field: title' type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. summary: Update a conversation tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/knowledge_base: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read a single KB operationId: GetKnowledgeBase responses: '200': content: application/json: examples: KnowledgeBaseReadResponse200Example2: summary: A response that returns information about the knowledge base. value: defend_insights_exists: true elser_exists: false is_setup_available: true is_setup_in_progress: true product_documentation_status: installed security_labs_exists: false user_data_exists: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Generic Error summary: Read a KnowledgeBase tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name post: operationId: PostKnowledgeBase parameters: - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: examples: KnowledgeBaseResponse200Example2: summary: A response that indicates that the request was successful. value: success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: examples: KnowledgeBaseResponse400Example2: summary: A response for a request that failed due to an invalid query parameter value. value: | statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Generic Error summary: Create a KnowledgeBase tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/security_ai_assistant/knowledge_base/{resource}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read a knowledge base with a specific resource identifier. operationId: ReadKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource required: true schema: type: string responses: '200': content: application/json: examples: KnowledgeBaseReadResponse200Example1: summary: A response that returns information about the knowledge base. value: defend_insights_exists: true elser_exists: false is_setup_available: true is_setup_in_progress: true product_documentation_status: installed security_labs_exists: false user_data_exists: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Generic Error summary: Read a KnowledgeBase for a resource tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a knowledge base with a specific resource identifier. operationId: CreateKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource required: true schema: type: string - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: examples: KnowledgeBaseResponse200Example1: summary: A response that indicates that the request was successful. value: success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: examples: KnowledgeBaseResponse400Example1: summary: A response for a request that failed due to an invalid query parameter value. value: | statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Generic Error summary: Create a KnowledgeBase for a resource tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/knowledge_base/entries: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Knowledge Base Entry operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. id: '12345' tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning Knowledge Base Entries '400': content: application/json: example: error: Invalid input message: The 'title' field is required. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as invalid input or missing required fields. summary: Create a Knowledge Base Entry tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: schema: type: object properties: create: description: List of Knowledge Base Entries to create. example: - content: This is the content of the new entry. title: New Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' type: array delete: type: object properties: ids: description: Array of Knowledge Base Entry IDs. example: - '123' - '456' - '789' items: type: string minItems: 1 type: array query: description: Query to filter Knowledge Base Entries. example: status:active AND category:technology type: string update: description: List of Knowledge Base Entries to update. example: - content: Updated content. id: '123' title: Updated Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' type: array responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' description: Successful bulk operation request '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Applies a bulk action to multiple Knowledge Base Entries tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/knowledge_base/entries/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Finds Knowledge Base Entries that match the given query. operationId: FindKnowledgeBaseEntries parameters: - description: A list of fields to include in the response. If not provided, all fields will be included. in: query name: fields required: false schema: example: - title - created_at items: type: string type: array - description: Search query to filter Knowledge Base Entries by specific criteria. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort the Knowledge Base Entries by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' example: created_at - description: Sort order for the results, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: asc - description: Page number for paginated results. Defaults to 1. in: query name: page required: false schema: default: 1 example: 2 minimum: 1 type: integer - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query name: per_page required: false schema: default: 20 example: 10 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: description: The list of Knowledge Base Entries for the current page. items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: description: The current page number. example: 1 type: integer perPage: description: The number of Knowledge Base Entries returned per page. example: 20 type: integer total: description: The total number of Knowledge Base Entries available. example: 100 type: integer required: - page - perPage - total - data description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: schema: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed message explaining the error. example: 'Invalid query parameter: sort_order' type: string statusCode: description: The HTTP status code of the error. example: 400 type: number description: Generic Error indicating an issue with the request. summary: Finds Knowledge Base Entries that match the given query. tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/knowledge_base/entries/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a Knowledge Base Entry by its unique `id`. operationId: DeleteKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: id: '12345' message: Knowledge Base Entry successfully deleted. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: example: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as an invalid `id` or the entry not being found. summary: Deletes a single Knowledge Base Entry using the `id` field tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a Knowledge Base Entry by its unique `id`. operationId: ReadKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. id: '12345' tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: example: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as an invalid `id` or the entry not being found. summary: Read a Knowledge Base Entry tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing Knowledge Base Entry by its unique `id`. operationId: UpdateKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to update. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: example: content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. tags: - password - reset - help - update title: How to reset a password (updated) schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: example: content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. id: '12345' tags: - password - reset - help - update title: How to reset a password (updated) schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: example: error: Invalid input message: The 'content' field cannot be empty. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as invalid input or the entry not being found. summary: Update a Knowledge Base Entry tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/prompts/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. operationId: PerformPromptsBulkAction requestBody: content: application/json: example: create: - content: Please verify the security settings. name: New Security Prompt promptType: system delete: ids: - prompt1 - prompt2 update: - content: Updated content for security prompt. id: prompt123 schema: type: object properties: create: description: List of prompts to be created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' type: array delete: description: Criteria for deleting prompts in bulk. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: List of prompts to be updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' type: array responses: '200': content: application/json: examples: success: value: attributes: errors: [] results: created: - content: Please verify the security settings. id: prompt6 name: New Security Prompt promptType: system deleted: - prompt2 - prompt3 skipped: - id: prompt4 name: Security Prompt skip_reason: PROMPT_FIELD_NOT_MODIFIED updated: - content: Updated security settings prompt id: prompt1 name: Security Prompt promptType: system summary: failed: 0 skipped: 1 succeeded: 4 total: 5 message: Bulk action completed successfully. prompts_count: 5 status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' description: Indicates a successful call with the results of the bulk action. '400': content: application/json: schema: type: object properties: error: description: A short error message. example: Bad Request type: string message: description: A detailed error message. example: Invalid prompt ID or missing required fields. type: string statusCode: description: The HTTP status code for the error. example: 400 type: number description: Indicates a generic error due to a bad request. summary: Apply a bulk action to prompts tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security_ai_assistant/prompts/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/prompts/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all prompts based on optional filters, sorting, and pagination. operationId: FindPrompts parameters: - description: List of specific fields to include in each returned prompt. in: query name: fields required: false schema: example: - id - name - content items: type: string type: array - description: Search query string to filter prompts by matching fields. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort prompts by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - description: Sort order, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number for pagination. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: Number of prompts per page. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: example: data: - categories: - troubleshooting - logging color: '#FF5733' consumer: security content: If you encounter an error, check the logs and retry. createdAt: '2025-04-20T21:00:00Z' createdBy: jdoe id: prompt-123 isDefault: true isNewConversationDefault: false name: Error Troubleshooting Prompt namespace: default promptType: standard timestamp: '2025-04-30T22:30:00Z' updatedAt: '2025-04-30T22:45:00Z' updatedBy: jdoe users: - full_name: John Doe username: jdoe page: 1 perPage: 20 total: 142 type: object properties: data: description: The list of prompts returned based on the search query, sorting, and pagination. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array page: description: Current page number. example: 1 type: integer perPage: description: Number of prompts per page. example: 20 type: integer total: description: Total number of prompts matching the query. example: 142 type: integer required: - page - perPage - total - data description: Successful response containing a list of prompts. '400': content: application/json: schema: type: object properties: error: description: Short error message. example: Bad Request type: string message: description: Detailed description of the error. example: Invalid sort order value provided. type: string statusCode: description: HTTP status code for the error. example: 400 type: number description: Bad request due to invalid parameters or malformed query. summary: Get prompts tags: - Security AI Assistant API x-metaTags: - content: Kibana name: product_name /api/security/entity_store: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: updateLogExtractionExample: description: Update the log extraction configuration with a new lookback period and frequency. summary: Update log extraction settings value: logExtraction: fieldHistoryLength: 15 frequency: 10m lookbackPeriod: 6h schema: additionalProperties: false type: object properties: logExtraction: additionalProperties: false type: object properties: additionalIndexPatterns: items: type: string type: array delay: pattern: '[smdh]$' type: string docsLimit: maximum: 9007199254740991 minimum: 1 type: integer excludedIndexPatterns: items: type: string type: array fieldHistoryLength: maximum: 9007199254740991 minimum: -9007199254740991 type: integer filter: type: string frequency: pattern: '[smdh]$' type: string lookbackPeriod: pattern: '[smdh]$' type: string maxLogsPerPage: maximum: 9007199254740991 minimum: 1 type: integer maxLogsPerWindow: maximum: 9007199254740991 minimum: 0 type: integer maxLogsPerWindowCapBehavior: enum: - defer - drop type: string maxTimeWindowSize: pattern: '[smdh]$' type: string required: - logExtraction responses: '200': content: application/json: examples: updateSuccessExample: description: The Entity Store configuration was successfully updated. summary: Entity Store updated value: ok: true description: Indicates a successful response. '400': content: application/json: examples: invalidDurationExample: description: A log extraction parameter has an invalid duration format. summary: Invalid duration parameter value: error: Bad Request message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: The Entity Store has not been installed yet. summary: Entity Store not installed value: error: Not Found message: Entity store is not installed statusCode: 404 description: Entity Store not found. summary: Update the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ "${KIBANA_URL}/api/security/entity_store" - lang: Console source: | PUT kbn://api/security/entity_store { "logExtraction": { "lookbackPeriod": "6h", "frequency": "10m", "fieldHistoryLength": 15 } } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/entities: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/entities
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-entities parameters: - description: A Kibana Query Language (KQL) filter for the search-after mode. in: query name: filter required: false schema: type: string - description: Number of entities to return in search-after mode. in: query name: size required: false schema: maximum: 9007199254740991 minimum: 1 type: integer - description: JSON-encoded search_after value for cursor-based pagination. in: query name: searchAfter required: false schema: type: string - description: Fields to include in the response source. in: query name: source required: false schema: items: type: string type: array - description: Fields to include in the response. in: query name: fields required: false schema: items: type: string type: array - description: Field to sort results by in page mode. in: query name: sort_field required: false schema: type: string - description: Sort order in page mode. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Page number to return (1-indexed) in page mode. in: query name: page required: false schema: maximum: 9007199254740991 minimum: 1 type: integer - description: Number of entities per page in page mode. in: query name: per_page required: false schema: maximum: 10000 minimum: 1 type: integer - description: An Elasticsearch query string to filter entities in page mode. in: query name: filterQuery required: false schema: type: string - description: Entity types to include in the results. in: query name: entity_types required: false schema: items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: emptyResultExample: description: No entities matched the query. summary: Empty result value: page: 1 per_page: 10 records: [] total: 0 pageModeExample: description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. summary: Page mode response with host entities value: inspect: dsl: - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' response: - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' page: 1 per_page: 10 records: - '@timestamp': '2026-04-10T08:30:00.000Z' asset: criticality: high_impact environment: production entity: attributes: asset: true managed: true id: host:web-server-prod-01 lifecycle: first_seen: '2026-01-15T10:00:00.000Z' last_activity: '2026-04-10T08:30:00.000Z' name: web-server-prod-01 risk: calculated_level: Moderate calculated_score: 47.5 calculated_score_norm: 47.5 source: - logs type: host host: hostname: - web-server-prod-01.example.com ip: - 10.0.1.42 name: web-server-prod-01 os: name: Ubuntu type: linux total: 1 searchAfterModeExample: description: A cursor-based response with entities and a search_after token for the next page. summary: Search-after mode response value: entities: - '@timestamp': '2026-04-10T08:30:00.000Z' entity: id: user:jane.doe@example.com name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe nextSearchAfter: - 1712736600000 - 1 description: Indicates a successful response. '400': content: application/json: examples: invalidFilterExample: description: The provided Kibana Query Language filter could not be parsed. summary: Invalid filter value: error: Bad Request message: |- Invalid filter: Expected "(", "{", value, whitespace but ":" found. invalid :: query ---------^ statusCode: 400 mixedModesExample: description: Cannot combine page-based pagination with cursor-based pagination in the same request. summary: Mixed pagination modes value: error: Bad Request message: '[request query]: Cannot combine page/per_page with searchAfter' statusCode: 400 description: Bad request. summary: List entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" - lang: Console source: | GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc x-metaTags: - content: Kibana name: product_name /api/security/entity_store/entities/: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security/entity_store/entities/
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. operationId: delete-security-entity-store-entities parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: deleteEntityExample: description: Delete a single entity from the Entity Store using its entity identifier. summary: Delete an entity by identifier value: entityId: host:web-server-prod-01 schema: additionalProperties: false type: object properties: entityId: description: The identifier of the entity to delete. type: string required: - entityId responses: '200': content: application/json: examples: deleteSuccessExample: description: The entity was found and successfully removed from the latest index. summary: Entity deleted value: deleted: true description: Indicates the entity was successfully deleted. '404': content: application/json: examples: notFoundExample: description: No entity with the specified identifier exists in the Entity Store. summary: Entity not found value: error: Not Found message: Entity ID 'host:web-server-prod-01' not found statusCode: 404 description: Entity not found. summary: Delete an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityId":"host:web-server-prod-01"}' \ "${KIBANA_URL}/api/security/entity_store/entities/" - lang: Console source: | DELETE kbn://api/security/entity_store/entities/ { "entityId": "host:web-server-prod-01" } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/entities/{entityType}: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The entity type to create. in: path name: entityType required: true schema: enum: - user - host - service - generic type: string requestBody: content: application/json: examples: createHostEntityExample: description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. summary: Create a host entity value: asset: business_unit: Engineering criticality: high_impact environment: production entity: attributes: asset: true managed: true id: host:web-server-prod-01 name: web-server-prod-01 source: - manual type: host host: hostname: - web-server-prod-01.example.com ip: - 10.0.1.42 name: web-server-prod-01 schema: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array responses: '200': content: application/json: examples: createSuccessExample: description: The entity record was successfully created in the Entity Store. summary: Entity created value: ok: true description: Indicates the entity was successfully created. '400': content: application/json: examples: euidMismatchExample: description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. summary: Entity identifier mismatch value: error: Bad Request message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 description: Bad request. '409': content: application/json: examples: conflictExample: description: An entity with the specified identifier already exists. summary: Entity already exists value: error: Conflict message: Entity ID 'host:web-server-prod-01' already exists statusCode: 409 description: Conflict. summary: Create an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ "${KIBANA_URL}/api/security/entity_store/entities/host" - lang: Console source: | POST kbn://api/security/entity_store/entities/host { "entity": { "id": "host:web-server-prod-01", "name": "web-server-prod-01", "type": "host", "source": ["manual"], "attributes": { "asset": true } }, "host": { "name": "web-server-prod-01", "ip": ["10.0.1.42"] } } x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The entity type to update. in: path name: entityType required: true schema: enum: - user - host - service - generic type: string - description: When true, allows updating protected fields. in: query name: force required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false requestBody: content: application/json: examples: updateEntityAttributesExample: description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. summary: Update entity attributes value: entity: attributes: managed: true mfa_enabled: true id: user:jane.doe@example.com lifecycle: last_activity: '2026-04-10T14:30:00.000Z' name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe roles: - admin - analyst schema: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array responses: '200': content: application/json: examples: updateSuccessExample: description: The entity record was successfully updated. summary: Entity updated value: ok: true description: Indicates the entity was successfully updated. '400': content: application/json: examples: protectedFieldsExample: description: The request attempts to update protected fields without the force query parameter. summary: Protected fields without force value: error: Bad Request message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: No entity with the specified identifier exists. summary: Entity not found value: error: Not Found message: Entity ID 'user:jane.doe@example.com' not found statusCode: 404 description: Entity not found. summary: Update an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" - lang: Console source: | PUT kbn://api/security/entity_store/entities/user?force=true { "entity": { "id": "user:jane.doe@example.com", "name": "jane.doe", "type": "user", "attributes": { "managed": true, "mfa_enabled": true } }, "user": { "name": "jane.doe" } } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/entities/bulk: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/entities/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-entities-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, allows updating protected fields. in: query name: force required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false requestBody: content: application/json: examples: bulkUpdateExample: description: Update a host entity and a user entity in a single request. summary: Bulk update multiple entities value: entities: - doc: entity: attributes: asset: true id: host:web-server-prod-01 name: web-server-prod-01 type: host host: name: web-server-prod-01 type: host - doc: entity: attributes: managed: true id: user:jane.doe@example.com name: jane.doe type: user user: name: jane.doe type: user schema: additionalProperties: false type: object properties: entities: description: The entities to update. items: type: object properties: doc: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array type: description: The entity type of this record. enum: - user - host - service - generic type: string required: - type - doc type: array required: - entities responses: '200': content: application/json: examples: bulkUpdatePartialExample: description: Some entities were updated but others encountered Elasticsearch-level errors. summary: Partial success with errors value: errors: - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' status: 404 type: document_missing_exception ok: true bulkUpdateSuccessExample: description: All entities were successfully updated with no errors. summary: All entities updated value: errors: [] ok: true description: Indicates a successful response. '400': content: application/json: examples: protectedFieldsExample: description: The request attempts to update protected fields without the force query parameter. summary: Protected fields without force value: error: Bad Request message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 description: Bad request. summary: Bulk update entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" - lang: Console source: | PUT kbn://api/security/entity_store/entities/bulk?force=true { "entities": [ { "type": "host", "doc": { "entity": { "id": "host:web-server-prod-01", "name": "web-server-prod-01", "type": "host", "attributes": { "asset": true } }, "host": { "name": "web-server-prod-01" } } } ] } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/install: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install the Entity Store, creating engines for the specified entity types and configuring log extraction.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-install parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: installDefaultExample: description: Install the Entity Store for all entity types with default log extraction settings. summary: Install with default entity types value: entityTypes: - user - host - service - generic logExtraction: {} installWithCustomSettingsExample: description: Install the Entity Store for host entities only with a custom lookback period and field history length. summary: Install with custom log extraction value: entityTypes: - host logExtraction: delay: 2m fieldHistoryLength: 20 filter: 'host.os.type: linux' frequency: 5m lookbackPeriod: 12h schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic items: enum: - user - host - service - generic type: string type: array historySnapshot: additionalProperties: false type: object properties: frequency: default: 24h pattern: '[smdh]$' type: string logExtraction: additionalProperties: false type: object properties: additionalIndexPatterns: default: [] items: type: string type: array delay: default: 1m pattern: '[smdh]$' type: string docsLimit: default: 10000 maximum: 9007199254740991 minimum: 1 type: integer excludedIndexPatterns: default: [] items: type: string type: array fieldHistoryLength: default: 10 maximum: 9007199254740991 minimum: -9007199254740991 type: integer filter: default: '' type: string frequency: default: 1m pattern: '[smdh]$' type: string lookbackPeriod: default: 3h pattern: '[smdh]$' type: string maxLogsPerPage: default: 50000 maximum: 9007199254740991 minimum: 1 type: integer maxLogsPerWindow: default: 100000 maximum: 9007199254740991 minimum: 0 type: integer maxLogsPerWindowCapBehavior: default: drop enum: - defer - drop type: string maxTimeWindowSize: default: 15m pattern: '[smdh]$' type: string responses: '200': content: application/json: examples: alreadyInstalledExample: description: All requested entity types were already installed. summary: Already installed value: ok: true description: Indicates all requested entity types are already installed. '201': content: application/json: examples: installSuccessExample: description: The Entity Store was installed and engines are being created. summary: Entity Store installed value: ok: true description: Indicates the Entity Store was successfully installed. '403': content: application/json: examples: forbiddenExample: description: The user does not have the required Elasticsearch privileges. summary: Insufficient privileges value: error: Forbidden message: User 'analyst' has insufficient privileges statusCode: 403 description: Insufficient privileges. summary: Install the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ "${KIBANA_URL}/api/security/entity_store/install" - lang: Console source: | POST kbn://api/security/entity_store/install { "entityTypes": ["user", "host", "service", "generic"], "logExtraction": {} } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/resolution/group: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/resolution/group
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: get-security-entity-store-resolution-group parameters: - description: The entity identifier to look up the resolution group for. in: query name: entity_id required: true schema: type: string responses: '200': content: application/json: examples: resolutionGroupExample: description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. summary: Resolution group with linked entities value: aliases: - '@timestamp': '2026-04-10T08:25:00.000Z' entity: id: user:jdoe@example.com name: jdoe relationships: resolution: resolved_to: user:jane.doe@example.com type: user user: name: jdoe group_size: 2 target: '@timestamp': '2026-04-10T08:30:00.000Z' entity: id: user:jane.doe@example.com name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe description: Indicates a successful response. '400': content: application/json: examples: truncatedSearchExample: description: The resolution search returned too many results and was truncated. summary: Search results truncated value: error: Bad Request message: Resolution search truncated statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: The specified entity does not exist or has no resolution group. summary: Entity not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com]' statusCode: 404 description: Entity not found. summary: Get resolution group tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" - lang: Console source: | GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com x-metaTags: - content: Kibana name: product_name /api/security/entity_store/resolution/link: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/resolution/link
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Link one or more entities to a target entity, creating a resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: post-security-entity-store-resolution-link parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: linkEntitiesExample: description: Link two user entities to a target entity, creating a resolution group. summary: Link entities to a target value: entity_ids: - user:jdoe@example.com - user:j.doe@example.com target_id: user:jane.doe@example.com schema: additionalProperties: false type: object properties: entity_ids: description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. items: type: string maxItems: 1000 minItems: 1 type: array target_id: description: The entity identifier to resolve the linked entities to. type: string required: - target_id - entity_ids responses: '200': content: application/json: examples: linkSuccessExample: description: The entities were successfully linked to the target entity. summary: Entities linked value: linked: - user:jdoe@example.com - user:j.doe@example.com skipped: [] target_id: user:jane.doe@example.com description: Indicates a successful response. '400': content: application/json: examples: mixedTypesExample: description: All entities in a resolution group must be of the same type. summary: Mixed entity types value: error: Bad Request message: Cannot link entities of different types statusCode: 400 selfLinkExample: description: Cannot link an entity to itself. summary: Self-link error value: error: Bad Request message: Cannot link entity 'user:jane.doe@example.com' to itself. statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: One or more of the specified entity identifiers were not found. summary: Entities not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' statusCode: 404 description: Entities not found. summary: Link entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ "${KIBANA_URL}/api/security/entity_store/resolution/link" - lang: Console source: | POST kbn://api/security/entity_store/resolution/link { "target_id": "user:jane.doe@example.com", "entity_ids": ["user:jdoe@example.com"] } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/resolution/unlink: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/resolution/unlink
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Remove one or more entities from their resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: post-security-entity-store-resolution-unlink parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: unlinkEntitiesExample: description: Remove entities from their resolution group, restoring them as standalone entities. summary: Unlink entities from their resolution group value: entity_ids: - user:jdoe@example.com - user:j.doe@example.com schema: additionalProperties: false type: object properties: entity_ids: description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. items: type: string maxItems: 1000 minItems: 1 type: array required: - entity_ids responses: '200': content: application/json: examples: unlinkSuccessExample: description: The entities were successfully removed from their resolution group. summary: Entities unlinked value: skipped: [] unlinked: - user:jdoe@example.com - user:j.doe@example.com description: Indicates a successful response. '404': content: application/json: examples: notFoundExample: description: One or more of the specified entity identifiers were not found. summary: Entities not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com]' statusCode: 404 description: Entities not found. summary: Unlink entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity_ids":["user:jdoe@example.com"]}' \ "${KIBANA_URL}/api/security/entity_store/resolution/unlink" - lang: Console source: | POST kbn://api/security/entity_store/resolution/unlink { "entity_ids": ["user:jdoe@example.com"] } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/start: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/start
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-start parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: startAllExample: description: Start all stopped entity engines. summary: Start all entity engines value: entityTypes: - user - host - service - generic startSingleExample: description: Start only the host entity engine. summary: Start a single entity engine value: entityTypes: - host schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to start. Defaults to all installed types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: startSuccessExample: description: The specified entity engines were successfully started. summary: Engines started value: ok: true description: Indicates a successful response. summary: Start Entity Store engines tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/start" - lang: Console source: | PUT kbn://api/security/entity_store/start { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-status parameters: - description: If true, returns a detailed status of each engine including all its components. in: query name: include_components required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false responses: '200': content: application/json: examples: notInstalledExample: description: The Entity Store has not been installed. summary: Entity Store not installed value: engines: [] status: not_installed runningStatusExample: description: The Entity Store is running with two started engines using default settings. summary: Entity Store running value: engines: - delay: 1m docsPerSecond: -1 enrichPolicyExecutionInterval: null fieldHistoryLength: 10 filter: '' frequency: 30s indexPattern: '' lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' lookbackPeriod: 3h maxLogsPerPage: 40000 maxLogsPerWindow: 500000 maxLogsPerWindowCapBehavior: defer maxPageSearchSize: 10000 maxTimeWindowSize: 15m status: started timeout: 25s timestampField: '@timestamp' type: host - delay: 1m docsPerSecond: -1 enrichPolicyExecutionInterval: null fieldHistoryLength: 10 filter: '' frequency: 30s indexPattern: '' lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' lookbackPeriod: 3h maxLogsPerPage: 40000 maxLogsPerWindow: 500000 maxLogsPerWindowCapBehavior: defer maxPageSearchSize: 10000 maxTimeWindowSize: 15m status: started timeout: 25s timestampField: '@timestamp' type: user status: running description: Indicates a successful response. summary: Get Entity Store status tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/status?include_components=false" - lang: Console source: | GET kbn://api/security/entity_store/status?include_components=false x-metaTags: - content: Kibana name: product_name /api/security/entity_store/stop: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/stop
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-stop parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: stopAllExample: description: Stop all running entity engines. summary: Stop all entity engines value: entityTypes: - user - host - service - generic schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to stop. Defaults to all running types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: stopSuccessExample: description: The specified entity engines were successfully stopped. summary: Engines stopped value: ok: true description: Indicates a successful response. summary: Stop Entity Store engines tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/stop" - lang: Console source: | PUT kbn://api/security/entity_store/stop { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana name: product_name /api/security/entity_store/uninstall: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-uninstall parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: uninstallAllExample: description: Uninstall all entity engines from the Entity Store. summary: Uninstall all entity types value: entityTypes: - user - host - service - generic uninstallSingleExample: description: Uninstall only the host engine from the Entity Store. summary: Uninstall a single entity type value: entityTypes: - host schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to uninstall. Defaults to all installed types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: uninstallSuccessExample: description: The specified entity engines were successfully uninstalled. summary: Entity Store uninstalled value: ok: true description: Indicates a successful response. summary: Uninstall the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/uninstall" - lang: Console source: | POST kbn://api/security/entity_store/uninstall { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana name: product_name /api/security/role: get: description: Retrieve all Kibana roles. operationId: get-security-role parameters: - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': content: application/json: examples: getAllRolesResponse: value: - _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true getRolesResponse1: $ref: '#/components/examples/get_roles_response1' schema: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' type: array description: Indicates a successful call. summary: Get all roles tags: - roles x-metaTags: - content: Kibana name: product_name /api/security/role/_query: post: description: Query Kibana roles with optional filters, paging, and sorting. operationId: post-security-role-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: queryRolesRequest: value: from: 0 query: kibana size: 25 sort: direction: asc field: name schema: additionalProperties: false type: object properties: filters: additionalProperties: false type: object properties: showReservedRoles: type: boolean from: type: number query: type: string size: type: number sort: additionalProperties: false type: object properties: direction: enum: - asc - desc type: string field: type: string required: - field - direction responses: '200': content: application/json: examples: queryRolesResponse: value: count: 1 roles: - _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true total: 1 schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' description: Indicates a successful call. summary: Query roles tags: [] x-metaTags: - content: Kibana name: product_name /api/security/role/{name}: delete: description: Delete a Kibana role by its name. operationId: delete-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: minLength: 1 type: string responses: '204': description: Indicates a successful call. summary: Delete a role tags: - roles x-metaTags: - content: Kibana name: product_name get: description: Retrieve a Kibana role by its name. operationId: get-security-role-name parameters: - description: The role name. in: path name: name required: true schema: minLength: 1 type: string - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': content: application/json: examples: getRoleResponse: value: _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true getRoleResponse1: $ref: '#/components/examples/get_role_response1' schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' description: Indicates a successful call. summary: Get a role tags: - roles x-metaTags: - content: Kibana name: product_name put: description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The role name. in: path name: name required: true schema: maxLength: 1024 minLength: 1 type: string - description: When true, a role is not overwritten if it already exists. in: query name: createOnly required: false schema: default: false type: boolean requestBody: content: application/json: examples: createOrUpdateRoleRequest: value: description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read kibana: - base: - read feature: {} spaces: - default createRoleRequest1: $ref: '#/components/examples/create_role_request1' createRoleRequest2: $ref: '#/components/examples/create_role_request2' createRoleRequest3: $ref: '#/components/examples/create_role_request3' createRoleRequest4: $ref: '#/components/examples/create_role_request4' schema: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string maxItems: 100 type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string maxItems: 100 minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges maxItems: 1000 type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string maxItems: 100 minItems: 1 type: array required: - privileges - clusters maxItems: 100 type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string maxItems: 100 minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges maxItems: 1000 type: array run_as: items: description: A user name that the role member can impersonate. type: string maxItems: 100 type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string maxItems: 50 type: array - items: description: A base privilege that applies to specific spaces. type: string maxItems: 50 type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string maxItems: 100 type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string maxItems: 1000 type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch responses: '204': description: Indicates a successful call. summary: Create or update a role tags: - roles x-metaTags: - content: Kibana name: product_name /api/security/roles: post: description: Create or update multiple Kibana roles in a single request. operationId: post-security-roles parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkCreateOrUpdateRoles: value: roles: my_kibana_role: elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read kibana: - base: - read feature: {} spaces: - default schema: additionalProperties: false type: object properties: roles: additionalProperties: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string maxItems: 100 type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string maxItems: 100 minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges maxItems: 1000 type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string maxItems: 100 minItems: 1 type: array required: - privileges - clusters maxItems: 100 type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string maxItems: 100 minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges maxItems: 1000 type: array run_as: items: description: A user name that the role member can impersonate. type: string maxItems: 100 type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string maxItems: 50 type: array - items: description: A base privilege that applies to specific spaces. type: string maxItems: 50 type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string maxItems: 100 type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string maxItems: 1000 type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch type: object required: - roles responses: '200': content: application/json: examples: bulkCreateOrUpdateRolesResponse: value: created: - my_kibana_role noop: [] updated: [] schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' description: Indicates a successful call. summary: Create or update roles tags: - roles x-metaTags: - content: Kibana name: product_name /api/security/session/_invalidate: post: description: | Invalidate user sessions that match a query. To use this API, you must be a superuser. operationId: post-security-session-invalidate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: invalidateRequestExample1: description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. summary: Invalidate all sessions value: |- { "match" : "all" } invalidateRequestExample2: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. summary: Invalidate all SAML sessions value: |- { "match" : "query", "query": { "provider" : { "type": "saml" } } } invalidateRequestExample3: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. summary: Invalidate sessions for a provider value: |- { "match" : "query", "query": { "provider" : { "type": "saml", "name": "saml1" } } } invalidateRequestExample4: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. summary: Invalidate sessions for a user value: |- { "match" : "query", "query": { "provider" : { "type": "oidc" }, "username": "user@my-oidc-sso.com" } } schema: type: object properties: match: description: | The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. enum: - all - query type: string query: description: | The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. type: object properties: provider: description: The authentication providers that will have their user sessions invalidated. type: object properties: name: description: The authentication provider name. type: string type: description: | The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. type: string required: - type username: description: The username that will have its sessions invalidated. type: string required: - provider required: - match responses: '200': content: application/json: schema: type: object properties: total: description: The number of sessions that were successfully invalidated. type: integer description: Indicates a successful call '403': description: Indicates that the user may not be authorized to invalidate sessions for other users. summary: Invalidate user sessions tags: - user session x-metaTags: - content: Kibana name: product_name /api/short_url: post: description: | Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. operationId: post-url requestBody: content: application/json: schema: type: object properties: humanReadableSlug: description: | When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. type: boolean locatorId: description: The identifier for the locator. type: string params: description: | An object which contains all necessary parameters for the given locator to resolve to a Kibana location. > warn > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object slug: description: | A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. type: string required: - locatorId - params required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Create a short URL tags: - short url x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/short_url/_slug/{slug}: get: description: | Resolve a Kibana short URL by its slug. operationId: resolve-url parameters: - description: The slug of the short URL. in: path name: slug required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Resolve a short URL tags: - short url x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/short_url/{id}: delete: description: | Delete a Kibana short URL. operationId: delete-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': description: Indicates a successful call. summary: Delete a short URL tags: - short url x-state: Technical Preview x-metaTags: - content: Kibana name: product_name get: description: | Get a single Kibana short URL. operationId: get-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Get a short URL tags: - short url x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/spaces/_copy_saved_objects: post: description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-copy-saved-objects parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. type: boolean createNewCopies: default: true description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. type: boolean includeReferences: default: false description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. type: boolean objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to copy. type: string type: description: The type of the saved object to copy. type: string required: - type - id maxItems: 1000 type: array overwrite: default: false description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. type: boolean spaces: items: description: The identifiers of the spaces where you want to copy the specified objects. type: string maxItems: 100 type: array required: - spaces - objects examples: copySavedObjectsRequestExample1: $ref: '#/components/examples/copy_saved_objects_request1' copySavedObjectsRequestExample2: $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': description: 'OK: A successful request.' content: application/json: examples: copySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' copySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' copySavedObjectsResponseExample3: $ref: '#/components/examples/copy_saved_objects_response3' copySavedObjectsResponseExample4: $ref: '#/components/examples/copy_saved_objects_response4' summary: Copy saved objects between spaces tags: - spaces x-metaTags: - content: Kibana name: product_name /api/spaces/_disable_legacy_url_aliases: post: operationId: post-spaces-disable-legacy-url-aliases parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: aliases: items: additionalProperties: false type: object properties: sourceId: description: The alias source object identifier. This is the legacy object identifier. type: string targetSpace: description: The space where the alias target object exists. type: string targetType: description: 'The type of alias target object. ' type: string required: - targetSpace - targetType - sourceId maxItems: 1000 type: array required: - aliases examples: disableLegacyURLRequestExample1: $ref: '#/components/examples/disable_legacy_url_request1' responses: {} summary: Disable legacy URL aliases tags: - spaces x-metaTags: - content: Kibana name: product_name /api/spaces/_get_shareable_references: post: description: Collect references and space contexts for saved objects. operationId: post-spaces-get-shareable-references parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 1000 type: array required: - objects responses: {} summary: Get shareable references tags: - spaces x-metaTags: - content: Kibana name: product_name /api/spaces/_resolve_copy_saved_objects_errors: post: description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false type: boolean createNewCopies: default: true type: boolean includeReferences: default: false type: boolean objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 1000 type: array retries: additionalProperties: items: additionalProperties: false type: object properties: createNewCopy: description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. type: boolean destinationId: description: Specifies the destination identifier that the copied object should have, if different from the current identifier. type: string id: description: The saved object identifier. type: string ignoreMissingReferences: description: When set to true, any missing references errors are ignored. type: boolean overwrite: default: false description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. type: boolean type: description: The saved object type. type: string required: - type - id maxItems: 1000 type: array type: object required: - retries - objects examples: resolveCopySavedObjectsRequestExample1: $ref: '#/components/examples/resolve_copy_saved_objects_request1' resolveCopySavedObjectsRequestExample2: $ref: '#/components/examples/resolve_copy_saved_objects_request2' responses: '200': description: 'OK: A successful request.' content: application/json: examples: resolveCopySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' resolveCopySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' summary: Resolve conflicts copying saved objects tags: [] x-metaTags: - content: Kibana name: product_name /api/spaces/_update_objects_spaces: post: description: Update one or more saved objects to add or remove them from some spaces. operationId: post-spaces-update-objects-spaces parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to update. type: string type: description: The type of the saved object to update. type: string required: - type - id maxItems: 1000 type: array spacesToAdd: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string maxItems: 1000 type: array spacesToRemove: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string maxItems: 1000 type: array required: - objects - spacesToAdd - spacesToRemove examples: updateObjectSpacesRequestExample1: $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': description: 'OK: A successful request.' content: application/json: examples: updateObjectSpacesResponseExample1: $ref: '#/components/examples/update_saved_objects_spaces_response1' summary: Update saved objects in spaces tags: - spaces x-metaTags: - content: Kibana name: product_name /api/spaces/space: get: operationId: get-spaces-space parameters: - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query name: purpose required: false schema: enum: - any - copySavedObjectsIntoSpace - shareSavedObjectsIntoSpace type: string - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter. in: query name: include_authorized_purposes required: true schema: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - false type: boolean x-oas-optional: true - type: boolean x-oas-optional: true responses: '200': description: Indicates a successful call. content: application/json: examples: getSpacesResponseExample1: $ref: '#/components/examples/get_spaces_response1' getSpacesResponseExample2: $ref: '#/components/examples/get_spaces_response2' summary: Get all spaces tags: - spaces x-metaTags: - content: Kibana name: product_name post: operationId: post-spaces-space parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: createSpaceRequest: $ref: '#/components/examples/create_space_request' responses: '200': description: Indicates a successful call. summary: Create a space tags: - spaces x-metaTags: - content: Kibana name: product_name /api/spaces/space/{id}: delete: description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. operationId: delete-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '404': description: Indicates that the request failed. summary: Delete a space tags: - spaces x-metaTags: - content: Kibana name: product_name get: operationId: get-spaces-space-id parameters: - description: The space identifier. in: path name: id required: true schema: type: string responses: '200': description: Indicates a successful call. content: application/json: examples: getSpaceResponseExample: $ref: '#/components/examples/get_space_response' summary: Get a space tags: - spaces x-metaTags: - content: Kibana name: product_name put: operationId: put-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. You are unable to change the ID with the update operation. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: updateSpaceRequest: $ref: '#/components/examples/update_space_request' responses: '200': description: Indicates a successful call. summary: Update a space tags: - spaces x-metaTags: - content: Kibana name: product_name /api/status: get: operationId: get-status parameters: - description: Set to "true" to get the response in v7 format. in: query name: v7format required: false schema: type: boolean - description: Set to "true" to get the response in v8 format. in: query name: v8format required: false schema: type: boolean responses: '200': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Overall status is OK and Kibana should be functioning normally. '503': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. summary: Get Kibana's current status tags: - system x-metaTags: - content: Kibana name: product_name /api/streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches list of all streams

[Required authorization] Route required privileges: read_stream. operationId: get-streams parameters: [] requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: listStreams: value: streams: - description: Root logs stream ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-10T08:00:00.000Z' settings: {} wired: fields: '@timestamp': type: date log.level: type: keyword message: type: match_only_text routing: - destination: logs.nginx status: enabled where: eq: nginx field: host.name name: logs type: wired updated_at: '2025-01-10T08:00:00.000Z' - description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 name: logs.nginx type: wired updated_at: '2025-01-15T10:30:00.000Z' - description: Legacy application logs ingest: classic: {} failure_store: disabled: {} lifecycle: dsl: data_retention: 30d processing: steps: - action: grok from: message ignore_missing: true patterns: - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' updated_at: '2024-12-01T09:00:00.000Z' settings: {} name: logs-myapp-default type: classic updated_at: '2024-12-01T09:00:00.000Z' - description: All error-level logs across every stream name: logs.errors query: esql: FROM logs* | WHERE log.level == "error" view: logs.errors-view type: query updated_at: '2025-01-20T14:00:00.000Z' summary: Get stream list tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/_disable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Disable streams tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/_enable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Enables wired streams

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Enable streams tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/_resync: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_resync
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-resync parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Resync streams tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Delete a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: getWiredStream: value: dashboards: [] data_stream_exists: true effective_failure_store: disabled: {} from: logs effective_lifecycle: dsl: data_retention: 7d from: logs effective_settings: {} inherited_fields: '@timestamp': from: logs type: date log.level: from: logs type: keyword privileges: create_snapshot_repository: false lifecycle: true manage: true manage_failure_store: true monitor: true read_failure_store: true simulate: true text_structure: true view_index_metadata: true queries: [] rules: [] stream: description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 name: logs.nginx type: wired updated_at: '2025-01-15T10:30:00.000Z' summary: Get a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: examples: createQueryStream: value: dashboards: [] queries: [] rules: [] stream: description: All error-level logs across every stream query: esql: FROM logs* | WHERE log.level == "error" view: logs.errors-view type: query createWiredStream: value: dashboards: [] queries: [] rules: [] stream: description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 type: wired updateClassicStream: value: dashboards: [] queries: [] rules: [] stream: description: Legacy application logs managed as a classic data stream ingest: classic: {} failure_store: disabled: {} lifecycle: dsl: data_retention: 30d processing: steps: - action: grok from: message ignore_missing: true patterns: - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' settings: {} type: classic schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' responses: {} summary: Create or update a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/_fork: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/_fork
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-fork parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: examples: forkStream: value: status: enabled stream: name: logs.nginx.errors where: eq: '500' field: http.response.status_code schema: additionalProperties: false type: object properties: status: enum: - enabled - disabled type: string stream: additionalProperties: false type: object properties: name: type: string required: - name where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - stream - where responses: {} summary: Fork a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/_ingest: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-ingest parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: getWiredIngest: value: ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: - action: grok from: message ignore_missing: false patterns: - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: client.ip: type: ip http.method: type: keyword http.response.body.bytes: type: long http.response.status_code: type: long url.original: type: wildcard routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 summary: Get ingest stream settings tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-ingest parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: examples: upsertWiredIngest: value: ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: - action: grok from: message ignore_missing: false patterns: - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' settings: {} wired: fields: client.ip: type: ip http.method: type: keyword http.response.body.bytes: type: long http.response.status_code: type: long url.original: type: wildcard routing: - destination: logs.nginx.errors status: enabled where: eq: '500' field: http.response.status_code schema: additionalProperties: false type: object properties: ingest: anyOf: - additionalProperties: false type: object properties: failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value wired: additionalProperties: false type: object properties: fields: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' routing: items: type: object properties: destination: description: A non-empty string. minLength: 1 type: string status: enum: - enabled - disabled type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - destination - where type: array required: - fields - routing required: - lifecycle - processing - settings - failure_store - wired - additionalProperties: false type: object properties: classic: additionalProperties: false type: object properties: field_overrides: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value required: - lifecycle - processing - settings - failure_store - classic required: - ingest responses: {} summary: Update ingest stream settings tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/_query: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/_query
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-query parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Get query stream settings tags: - streams x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/_query
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: examples: upsertQueryStream: value: query: esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level schema: additionalProperties: false type: object properties: field_descriptions: additionalProperties: type: string type: object query: additionalProperties: false type: object properties: esql: type: string required: - esql required: - query responses: {} summary: Upsert query stream settings tags: - streams x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/content/export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/content/export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-content-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: type: string include: $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' name: type: string version: type: string required: - name - description - version - include responses: {} summary: Export stream content tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/content/import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/content/import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-content-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: multipart/form-data: schema: additionalProperties: false type: object properties: content: {} include: type: string required: - include - content responses: {} summary: Import content into a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-queries parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Get stream queries tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/queries/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/queries/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-queries-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: operations: items: anyOf: - type: object properties: index: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - id - title - description - esql required: - index - type: object properties: delete: type: object properties: id: type: string required: - id required: - delete type: array required: - operations responses: {} summary: Bulk update queries tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/queries/{queryId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: queryId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Remove a query from a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/queries/{queryId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: queryId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: default: '' type: string esql: additionalProperties: false type: object properties: query: type: string required: - query evidence: items: type: string type: array severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - title - esql responses: {} summary: Upsert a query to a stream tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/significant_events: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/significant_events
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read the significant events

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-significant-events parameters: - in: path name: name required: true schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - in: query name: bucketSize required: true schema: type: string - description: Query string to filter significant events on metadata fields in: query name: query required: false schema: type: string - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' in: query name: searchMode required: false schema: enum: - keyword - semantic - hybrid type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Read the significant events tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/significant_events/_generate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/significant_events/_generate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. operationId: post-streams-name-significant-events-generate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query name: connectorId required: false schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - description: Number of sample documents to use for generation from the current data of stream in: query name: sampleDocsSize required: false schema: type: number requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Generate significant events tags: - streams x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/streams/{name}/significant_events/_preview: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/significant_events/_preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. operationId: post-streams-name-significant-events-preview parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - in: query name: bucketSize required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: esql: additionalProperties: false type: object properties: query: type: string required: - query required: - esql required: - query responses: {} summary: Preview significant events tags: - streams x-state: Technical Preview; added in 9.1.0 x-metaTags: - content: Kibana name: product_name /api/streams/{streamName}/attachments: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{streamName}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. operationId: get-streams-streamname-attachments parameters: - description: The name of the stream in: path name: streamName required: true schema: type: string - description: Search query to filter attachments by title in: query name: query required: false schema: type: string - description: Filter by attachment types (single value or array) in: query name: attachmentTypes required: false schema: items: enum: - dashboard - rule - slo type: string type: array - description: Filter by tags (single value or array) in: query name: tags required: false schema: items: type: string type: array requestBody: content: application/json: examples: listAttachmentsExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: listAttachmentsResponse: value: attachments: - createdAt: '2023-02-23T16:15:47.275Z' description: Dashboard for monitoring production services id: dashboard-123 streamNames: - logs.awsfirehose - logs.nginx tags: - monitoring - production title: My Dashboard type: dashboard updatedAt: '2023-03-24T14:39:17.636Z' description: Successfully retrieved attachments summary: Get stream attachments tags: - streams x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/streams/{streamName}/attachments/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-streamname-attachments-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string requestBody: content: application/json: examples: bulkAttachmentsExample: value: operations: - index: id: dashboard-123 type: dashboard - delete: id: rule-456 type: rule schema: additionalProperties: false type: object properties: operations: items: anyOf: - type: object properties: index: type: object properties: id: type: string type: enum: - dashboard - rule - slo type: string required: - id - type required: - index - type: object properties: delete: type: object properties: id: type: string type: enum: - dashboard - rule - slo type: string required: - id - type required: - delete type: array required: - operations responses: '200': content: application/json: examples: bulkAttachmentsResponse: value: acknowledged: true description: Successfully performed bulk operations summary: Bulk update attachments tags: - streams x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string - description: The type of the attachment in: path name: attachmentType required: true schema: enum: - dashboard - rule - slo type: string - description: The ID of the attachment in: path name: attachmentId required: true schema: type: string requestBody: content: application/json: examples: unlinkAttachmentExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: unlinkAttachmentResponse: value: acknowledged: true description: Successfully unlinked attachment summary: Unlink an attachment from a stream tags: - streams x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-streamname-attachments-attachmenttype-attachmentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string - description: The type of the attachment in: path name: attachmentType required: true schema: enum: - dashboard - rule - slo type: string - description: The ID of the attachment in: path name: attachmentId required: true schema: type: string requestBody: content: application/json: examples: linkAttachmentExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: linkAttachmentResponse: value: acknowledged: true description: Successfully linked attachment summary: Link an attachment to a stream tags: - streams x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name /api/synthetics/monitor/test/{monitorId}: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. operationId: post-synthetics-monitor-test parameters: - description: The ID (config_id) of the monitor to test. in: path name: monitorId required: true schema: type: string responses: '200': content: application/json: examples: testNowMonitorResponseExample1: value: |- { "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", "errors": [ { "locationId": "us_central_staging", "error": { "status": 401, "reason": "no auth credentials provided", "failed_monitors": null } } ] } schema: type: object properties: errors: description: Array of errors encountered while triggering the test, one per service location. items: type: object properties: error: type: object properties: failed_monitors: description: Optional list of monitors that failed at the location. items: type: object nullable: true type: array reason: description: Human-readable explanation of the failure. type: string status: description: HTTP status code returned by the agent. type: integer required: - status - reason - failed_monitors locationId: description: Identifier of the service location where the error occurred. type: string required: - locationId - error type: array testRunId: description: Unique identifier for the triggered test run. type: string required: - testRunId description: Test run triggered successfully. '404': description: Monitor not found. summary: Trigger an on-demand test run for a monitor tags: - synthetics x-state: Generally available; added in 9.2.0 x-metaTags: - content: Kibana name: product_name /api/synthetics/monitors: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/monitors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of monitors. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-synthetic-monitors parameters: - description: Additional filtering criteria. in: query name: filter schema: type: string - description: The locations to filter by. in: query name: locations schema: oneOf: - type: string - type: array - description: The monitor types to filter. in: query name: monitorTypes schema: oneOf: - enum: - browser - http - icmp - tcp type: string - type: array - description: The page number for paginated results. in: query name: page schema: type: integer - description: The number of items to return per page. in: query name: per_page schema: type: integer - description: The projects to filter by. in: query name: projects schema: oneOf: - type: string - type: array - description: A free-text query string. in: query name: query schema: type: string - description: The schedules to filter by. in: query name: schedules schema: oneOf: - type: array - type: string - description: The field to sort the results by. in: query name: sortField schema: enum: - name - createdAt - updatedAt - status type: string - description: The sort order. in: query name: sortOrder schema: enum: - asc - desc type: string - description: The status to filter by. in: query name: status schema: oneOf: - type: array - type: string - description: Tags to filter monitors. in: query name: tags schema: oneOf: - type: string - type: array - description: | Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. in: query name: useLogicalAndFor schema: oneOf: - enum: - tags - locations type: string - items: enum: - tags - locations type: string type: array responses: '200': content: application/json: examples: getSyntheticMonitorsResponseExample1: description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. value: |- { "page": 1, "total": 24, "monitors": [ { "type": "icmp", "enabled": false, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "timeout": "16", "name": "8.8.8.8:80", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "max_attempts": 2, "wait": "7", "revision": 3, "mode": "all", "ipv4": true, "ipv6": true, "created_at": "2023-11-07T09:57:04.152Z", "updated_at": "2023-12-04T19:19:34.039Z", "host": "8.8.8.8:80" } ], "absoluteTotal": 24, "perPage": 10, } schema: type: object description: A successful response. summary: Get monitors tags: - synthetics x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/monitors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-synthetic-monitors requestBody: content: application/json: examples: postSyntheticMonitorsRequestExample1: description: Create an HTTP monitor to check a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample2: description: Create a TCP monitor to monitor a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } postSyntheticMonitorsRequestExample3: description: Create an ICMP monitor to perform ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample4: description: Create a browser monitor to check a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' required: true responses: '200': content: application/json: examples: postSyntheticMonitorsResponseWithWarning: description: A response when a browser monitor specifies a timeout but has no private locations. summary: Response with warning value: |- { "type": "browser", "name": "Example journey", "enabled": true, "warnings": [ { "id": "monitor-id", "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", "publicLocationIds": ["public-1", "public-2"] } ] } schema: type: object properties: warnings: description: | An optional array of warnings about the monitor configuration. items: $ref: '#/components/schemas/Synthetics_monitorWarning' type: array description: | A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect. '400': content: application/json: examples: invalidBrowserTimeout: description: A 400 error when a browser monitor timeout is below 30 seconds. summary: Invalid browser timeout value: |- { "statusCode": 400, "error": "Bad Request", "message": "Browser Monitor timeout is invalid", "attributes": { "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." } } schema: type: object properties: attributes: type: object properties: details: example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds. type: string error: example: Bad Request type: string message: example: Browser Monitor timeout is invalid type: string statusCode: example: 400 type: integer description: | Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. summary: Create a monitor tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/monitors/_bulk_delete: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete multiple monitors by sending a list of config IDs. operationId: delete-synthetic-monitors requestBody: content: application/json: examples: bulkDeleteRequestExample1: description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. value: |- { "ids": [ "monitor1-id", "monitor2-id" ] } schema: type: object properties: ids: description: An array of monitor IDs to delete. items: type: string type: array required: - ids required: true responses: '200': content: application/json: examples: deleteMonitorsResponseExample1: description: A response from successfully deleting multiple monitors. value: |- [ { "id": "monitor1-id", "deleted": true }, { "id": "monitor2-id", "deleted": true } ] schema: items: description: The API response includes information about the deleted monitors. type: object properties: deleted: description: | If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. type: boolean ids: description: The unique identifier of the deleted monitor. type: string type: array description: A successful response. summary: Delete monitors tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/monitors/{id}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a monitor from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-synthetic-monitor parameters: - description: The identifier for the monitor that you want to delete. in: path name: id required: true schema: type: string responses: '200': description: OK summary: Delete a monitor tags: - synthetics x-metaTags: - content: Kibana name: product_name get: operationId: get-synthetic-monitor parameters: - description: The ID of the monitor. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getSyntheticMonitorResponseExample1: description: A successful response from `GET /api/synthetics/monitors/`. value: |- { "type": "http", "enabled": true, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "timeout": "16", "name": "am i something", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "max_attempts": 2, "__ui": { "is_tls_enabled": false }, "max_redirects": "0", "response.include_body": "on_error", "response.include_headers": true, "check.request.method": "GET", "mode": "any", "response.include_body_max_bytes": "1024", "ipv4": true, "ipv6": true, "ssl.verification_mode": "full", "ssl.supported_protocols": [ "TLSv1.1", "TLSv1.2", "TLSv1.3" ], "revision": 13, "created_at": "2023-11-08T08:45:29.334Z", "updated_at": "2023-12-18T20:31:44.770Z", "url": "https://fast.com" } schema: type: object description: A successful response. '404': description: If the monitor is not found, the API returns a 404 error. summary: Get a monitor tags: - synthetics x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. operationId: put-synthetic-monitor parameters: - description: The identifier for the monitor that you want to update. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putSyntheticMonitorsRequestExample1: description: Update an HTTP monitor that checks a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample2: description: Update a TCP monitor that monitors a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } putSyntheticMonitorsRequestExample3: description: Update an ICMP monitor that performs ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample4: description: Update a browser monitor that checks a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' type: object required: true responses: '200': content: application/json: examples: putSyntheticMonitorResponseWithWarning: description: A response when a browser monitor specifies a timeout but has no private locations. summary: Response with warning value: |- { "type": "browser", "name": "Example journey", "enabled": true, "warnings": [ { "id": "monitor-id", "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", "publicLocationIds": ["public-1", "public-2"] } ] } schema: type: object properties: warnings: description: | An optional array of warnings about the monitor configuration. items: $ref: '#/components/schemas/Synthetics_monitorWarning' type: array description: | A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. '400': description: | Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. summary: Update a monitor tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/params: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/params
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameters responses: '200': content: application/json: examples: getParametersResponseExample1: description: A successful response for a user with read-only permissions to get a list of parameters. summary: Read access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"] }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"] } ] getParametersResponseExample2: description: A successful response for a user with write permissions to get a list of parameters. summary: Write access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"], "value": "value1" }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"], "value": "value2" } ] schema: items: $ref: '#/components/schemas/Synthetics_getParameterResponse' type: array description: A successful response. summary: Get parameters tags: - synthetics x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/params
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Add one or more parameters to the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-parameters requestBody: content: application/json: examples: postParametersRequestExample1: description: Add a single parameter. summary: Single parameter value: |- { "key": "your-key-name", "value": "your-parameter-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersRequestExample2: description: Add multiple parameters. summary: Multiple parameters value: |- [ { "key": "param1", "value": "value1" }, { "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_parameterRequest' type: array - $ref: '#/components/schemas/Synthetics_parameterRequest' description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: examples: postParametersResponseExample1: description: A successful response for a single added parameter. summary: Single parameter value: |- { "id": "unique-parameter-id", "key": "your-key-name", "value": "your-param-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersResponseExample2: description: A successful response for multiple added parameters. summary: Multiple parameters value: |- [ { "id": "param1-id", "key": "param1", "value": "value1" }, { "id": "param2-id", "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_postParameterResponse' type: array - $ref: '#/components/schemas/Synthetics_postParameterResponse' description: A successful response. summary: Add parameters tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/params/_bulk_delete: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/params/_bulk_delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete parameters from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameters requestBody: content: application/json: examples: deleteParametersRequestExample1: description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. value: |- { "ids": ["param1-id", "param2-id"] } schema: type: object properties: ids: description: An array of parameter IDs to delete. items: type: string type: array required: true responses: '200': content: application/json: examples: deleteParametersResponseExample1: value: |- [ { "id": "param1-id", "deleted": true } ] schema: items: type: object properties: deleted: description: | Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. type: boolean id: description: The unique identifier for the deleted parameter. type: string type: array description: A successful response. summary: Delete parameters tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/params/{id}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a parameter from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameter parameters: - description: The ID for the parameter to delete. in: path name: id required: true schema: type: string responses: '200': description: OK summary: Delete a parameter tags: - synthetics x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a parameter from the Synthetics app. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getParameterResponseExample1: description: A successful response for a user with read-only permissions to get a single parameter. summary: Read access value: |- { "id": "unique-parameter-id", "key": "your-api-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"] } getParameterResponseExample2: description: A successful response for a user with write permissions to get a single parameter. summary: Write access value: |- { "id": "unique-parameter-id", "key": "your-param-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"], "value": "your-param-value" } schema: $ref: '#/components/schemas/Synthetics_getParameterResponse' description: A successful response. summary: Get a parameter tags: - synthetics x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a parameter in the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: put-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putParameterRequestExample1: value: |- { "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object properties: description: description: The updated description of the parameter. type: string key: description: The key of the parameter. type: string tags: description: An array of updated tags to categorize the parameter. items: type: string type: array value: description: The updated value associated with the parameter. type: string description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: examples: putParameterResponseExample1: value: |- { "id": "param_id1", "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object description: A successful response. summary: Update a parameter tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/private_locations: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/private_locations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of private locations. You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-locations responses: '200': content: application/json: examples: getPrivateLocationsResponseExample1: value: |- [ { "label": "Test private location", "id": "fleet-server-policy", "agentPolicyId": "fleet-server-policy", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" }, { "label": "Test private location 2", "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "test" } ] schema: items: $ref: '#/components/schemas/Synthetics_getPrivateLocation' type: array description: A successful response. summary: Get private locations tags: - synthetics x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/synthetics/private_locations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: post-private-location requestBody: content: application/json: examples: postPrivateLocationRequestExample1: description: Run `POST /api/private_locations` to create a private location. value: |- { "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } "spaces": ["default"] } schema: type: object properties: agentPolicyId: description: The ID of the agent policy associated with the private location. type: string geo: description: Geographic coordinates (WGS84) for the location. type: object properties: lat: description: The latitude of the location. type: number lon: description: The longitude of the location. type: number required: - lat - lon label: description: A label for the private location. type: string spaces: description: | An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: type: string type: array tags: description: An array of tags to categorize the private location. items: type: string type: array required: - agentPolicyId - label required: true responses: '200': content: application/json: examples: postPrivateLocationResponseExample1: value: |- { "id": "abcd1234", "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } } schema: type: object description: A successful response. '400': description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. summary: Create a private location tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/synthetics/private_locations/{id}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/synthetics/private_locations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. operationId: delete-private-location parameters: - description: The unique identifier of the private location to be deleted. in: path name: id required: true schema: maxLength: 1024 minLength: 1 type: string responses: '200': description: OK summary: Delete a private location tags: - synthetics x-metaTags: - content: Kibana name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/synthetics/private_locations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-location parameters: - description: A private location identifier or label. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getPrivateLocationResponseExample1: value: |- { "label": "Test private location", "id": "test-private-location-id", "agentPolicyId": "test-private-location-id", "isServiceManaged": false, "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" } schema: $ref: '#/components/schemas/Synthetics_getPrivateLocation' description: A successful response. summary: Get a private location tags: - synthetics x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/synthetics/private_locations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing private location's label. You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. operationId: put-private-location parameters: - description: The unique identifier of the private location to be updated. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putPrivateLocationRequestExample1: description: Update a private location's label. value: |- { "label": "Updated Private Location Name" } schema: type: object properties: label: description: A new label for the private location. Must be at least 1 character long. minLength: 1 type: string required: - label required: true responses: '200': content: application/json: examples: putPrivateLocationResponseExample1: value: |- { "label": "Updated Private Location Name", "id": "test-private-location-id", "agentPolicyId": "test-private-location-id", "isServiceManaged": false, "isInvalid": false, "tags": ["private", "testing", "updated"], "geo": { "lat": 37.7749, "lon": -122.4194 }, "spaces": ["*"] } schema: $ref: '#/components/schemas/Synthetics_getPrivateLocation' description: A successful response. '400': description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. '404': description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. summary: Update a private location tags: - synthetics x-metaTags: - content: Kibana name: product_name /api/task_manager/_health: get: description: | Get the health status of the Kibana task manager. operationId: task-manager-health responses: '200': content: application/json: examples: taskManagerHealthResponse1: $ref: '#/components/examples/Task_manager_health_APIs_health_200response' schema: $ref: '#/components/schemas/Task_manager_health_APIs_health_response' description: Indicates a successful call summary: Get the task manager health tags: - task manager x-metaTags: - content: Kibana name: product_name /api/timeline: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete one or more Timelines or Timeline templates. operationId: DeleteTimelines requestBody: content: application/json: schema: type: object properties: savedObjectIds: description: The list of IDs of the Timelines or Timeline templates to delete example: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e items: type: string maxItems: 100 type: array searchIds: description: Saved search IDs that should be deleted alongside the timelines example: - 23f3-43g34g322-e5g5hrh6h-45454 - 6ce1b592-84e3-4b4a-9552-f189d4b82075 items: type: string maxItems: 100 type: array required: - savedObjectIds description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': description: Indicates the Timeline was successfully deleted. summary: Delete Timelines or Timeline templates tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline parameters: - description: The `savedObjectId` of the template timeline to retrieve in: query name: template_timeline_id schema: type: string - description: The `savedObjectId` of the Timeline to retrieve. in: query name: id schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the (template) Timeline was found and returned. summary: Get Timeline or Timeline template details tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. operationId: PatchTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' description: The timeline object of the Timeline or Timeline template that you’re updating. timelineId: description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e nullable: true type: string version: description: The version of the Timeline or Timeline template that you’re updating. example: WzE0LDFd nullable: true type: string required: - timelineId - version - timeline description: The Timeline updates, along with the Timeline ID and version. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the Timeline was successfully updated. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that the user does not have the required access to create a Timeline. summary: Update a Timeline tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Timeline or Timeline template. operationId: CreateTimelines requestBody: content: application/json: schema: type: object properties: status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique identifier for the Timeline template. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. example: 12 nullable: true type: number timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineId: description: A unique identifier for the Timeline. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true version: nullable: true type: string required: - timeline description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates the Timeline was successfully created. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that there was an error in the Timeline creation. summary: Create a Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_copy: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline/_copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Copies and returns a timeline or timeline template. operationId: CopyTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineIdToCopy: type: string required: - timeline - timelineIdToCopy required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the timeline has been successfully copied. summary: Copies timeline or timeline template tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_draft: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. operationId: GetDraftTimelines parameters: - in: query name: timelineType required: true schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the draft Timeline was successfully retrieved. '403': content: application/json: schema: type: object properties: message: type: string status_code: type: number description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application/json: schema: type: object properties: message: type: string status_code: type: number description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. summary: Get draft Timeline or Timeline template details tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a clean draft Timeline or Timeline template for the current user. > info > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. operationId: CleanDraftTimelines requestBody: content: application/json: schema: type: object properties: timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - timelineType description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned. '403': content: application/json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application/json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that there is already a draft Timeline with the given `timelineId`. summary: Create a clean draft Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export Timelines as an NDJSON file. operationId: ExportTimelines parameters: - description: The name of the file to export in: query name: file_name required: true schema: type: string requestBody: content: application/json: schema: type: object properties: ids: items: type: string maxItems: 1000 minItems: 1 nullable: true type: array description: The IDs of the Timelines to export. required: true responses: '200': content: application/ndjson: schema: description: NDJSON of the exported Timelines type: string description: Indicates the Timelines were successfully exported. '400': content: application/ndjson: schema: type: object properties: body: type: string statusCode: type: number description: Indicates that the export size limit was exceeded. summary: Export Timelines tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_favorite: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/timeline/_favorite
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Favorite a Timeline or Timeline template for the current user. operationId: PersistFavoriteRoute requestBody: content: application/json: schema: type: object properties: templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineId: nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true required: - timelineId - templateTimelineId - templateTimelineVersion - timelineType description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' description: Indicates the favorite status was successfully updated. '403': content: application/json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the user does not have the required permissions to persist the favorite status. summary: Favorite a Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import Timelines. operationId: ImportTimelines requestBody: content: application/json: schema: type: object properties: file: {} isImmutable: description: Whether the Timeline should be immutable enum: - 'true' - 'false' type: string required: - file description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the import of Timelines was successful. '400': content: application/json: schema: type: object properties: body: description: The error message example: Invalid file extension type: string statusCode: example: 400 type: number description: Indicates the import of Timelines was unsuccessful because of an invalid file extension. '404': content: application/json: schema: type: object properties: body: description: The error message example: Unable to find saved object client type: string statusCode: example: 404 type: number description: Indicates that we were unable to locate the saved object client necessary to handle the import. '409': content: application/json: schema: type: object properties: body: description: The error message example: Could not import timelines type: string statusCode: example: 409 type: number description: Indicates the import of Timelines was unsuccessful. summary: Import Timelines tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/_prepackaged: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_prepackaged
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install or update prepackaged Timelines. operationId: InstallPrepackedTimelines requestBody: content: application/json: schema: type: object properties: prepackagedTimelines: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' nullable: true type: array timelinesToInstall: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array timelinesToUpdate: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array required: - timelinesToInstall - timelinesToUpdate - prepackagedTimelines description: The Timelines to install or update. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the installation of prepackaged Timelines was successful. '500': content: application/json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the installation of prepackaged Timelines was unsuccessful. summary: Install prepackaged Timelines tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/timeline/resolve: get: operationId: ResolveTimeline parameters: - description: The ID of the template timeline to resolve in: query name: template_timeline_id schema: type: string - description: The ID of the timeline to resolve in: query name: id schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' description: The (template) Timeline has been found '400': description: The request is missing parameters '404': description: The (template) Timeline was not found summary: Get an existing saved Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline/resolve
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/timelines: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timelines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - description: If true, only timelines that are marked as favorites by the user are returned. in: query name: only_user_favorite schema: enum: - 'true' - 'false' nullable: true type: string - in: query name: timeline_type schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true - in: query name: sort_field schema: $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - description: Whether to sort the results `ascending` or `descending` in: query name: sort_order schema: enum: - asc - desc type: string - description: How many results should returned at once in: query name: page_size schema: nullable: true type: string - description: How many pages should be skipped in: query name: page_index schema: nullable: true type: string - description: Allows to search for timelines by their title in: query name: search schema: nullable: true type: string - in: query name: status schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true responses: '200': content: application/json: schema: type: object properties: customTemplateTimelineCount: description: The amount of custom Timeline templates in the results example: 2 type: number defaultTimelineCount: description: The amount of `default` type Timelines in the results example: 90 type: number elasticTemplateTimelineCount: description: The amount of Elastic's Timeline templates in the results example: 8 type: number favoriteCount: description: The amount of favorited Timelines example: 5 type: number templateTimelineCount: description: The amount of Timeline templates in the results example: 10 type: number timeline: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array totalCount: description: The total amount of results example: 100 type: number required: - timeline - totalCount description: Indicates that the (template) Timelines were found and returned. '400': content: application/json: schema: type: object properties: body: description: The error message example: get timeline error type: string statusCode: example: 405 type: number description: Bad request. The user supplied invalid data. summary: Get Timelines or Timeline templates tags: - Security Timeline API x-metaTags: - content: Kibana name: product_name /api/upgrade_assistant/status: get: description: Check the status of your cluster. operationId: get-upgrade-status responses: '200': content: application/json: examples: getUpgradeStatusResponseExample1: value: |- { "readyForUpgrade": false, "cluster": [ { "message": "Cluster deprecated issue", "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." } ] } description: Indicates a successful call. summary: Get the upgrade readiness status tags: - upgrade x-state: Technical Preview x-metaTags: - content: Kibana name: product_name /api/uptime/settings: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/uptime/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. operationId: get-uptime-settings responses: '200': content: application/json: examples: getUptimeSettingsResponseExample1: value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Get uptime settings tags: - uptime x-metaTags: - content: Kibana name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/uptime/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. operationId: put-uptime-settings requestBody: content: application/json: examples: putUptimeSettingsRequestExample1: description: Run `PUT api/uptime/settings` to update multiple Uptime settings. summary: Update multiple settings value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } putUptimeSettingsRequestExample2: description: Run `PUT api/uptime/settings` to update a single Uptime setting. summary: Update a setting value: |- { "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: certAgeThreshold: default: 730 description: The number of days after a certificate is created to trigger an alert. type: number certExpirationThreshold: default: 30 description: The number of days before a certificate expires to trigger an alert. type: number defaultConnectors: default: [] description: A list of connector IDs to be used as default connectors for new alerts. type: array defaultEmail: description: | The default email configuration for new alerts. type: object properties: bcc: default: [] items: type: string type: array cc: default: [] items: type: string type: array to: default: [] items: type: string type: array heartbeatIndices: default: heartbeat-* description: | An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. type: string responses: '200': content: application/json: examples: putUptimeSettingsResponseExample1: description: A successful response from `PUT api/uptime/settings`. value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Update uptime settings tags: - uptime x-metaTags: - content: Kibana name: product_name /api/visualizations: get: tags: - Visualizations summary: Get visualizations operationId: get-visualizations-redirect description: | > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': description: See the full Visualizations API reference for detailed response schemas. post: tags: - Visualizations summary: Create a visualization operationId: create-visualization-redirect description: | > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': description: See the full Visualizations API reference for detailed response schemas. /api/visualizations/{id}: get: tags: - Visualizations summary: Get a visualization operationId: get-visualization-redirect description: | > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': description: See the full Visualizations API reference for detailed response schemas. put: tags: - Visualizations summary: Update a visualization operationId: update-visualization-redirect description: | > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': description: See the full Visualizations API reference for detailed response schemas. delete: tags: - Visualizations summary: Delete a visualization operationId: delete-visualization-redirect description: | > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. > > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': description: See the full Visualizations API reference for detailed response schemas. /api/workflows: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. operationId: delete-workflows parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. in: query name: force required: false schema: default: false type: boolean requestBody: content: application/json: examples: bulkDeleteWorkflowsRequestExample: description: Example request for deleting multiple workflows value: ids: - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to delete. items: description: Workflow ID to delete. type: string maxItems: 1000 type: array required: - ids responses: '200': content: application/json: examples: bulkDeleteWorkflowsResponseExample: description: Example response after deleting multiple workflows value: deleted: 2 failures: [] total: 2 description: Indicates a successful response summary: Bulk delete workflows tags: - workflows x-codeSamples: - label: Soft delete (default) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] }' - label: Hard delete (permanent) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] }' - lang: Console source: | DELETE kbn://api/workflows { "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. operationId: get-workflows parameters: - description: Free-text search query. in: query name: query required: false schema: type: string - description: Number of results per page. in: query name: size required: false schema: minimum: 1 type: number - description: Page number. in: query name: page required: false schema: minimum: 1 type: number - description: Filter by enabled state. in: query name: enabled required: false schema: items: type: boolean maxItems: 2 type: array - description: Filter by creator. in: query name: createdBy required: false schema: items: type: string maxItems: 1000 type: array - description: Filter by tags. in: query name: tags required: false schema: items: type: string maxItems: 1000 type: array responses: '200': content: application/json: examples: getWorkflowsResponseExample: description: Example response returning a paginated list of workflows value: page: 1 results: - createdAt: '2025-11-20T10:30:00.000Z' definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true history: - duration: 5000 finishedAt: '2025-11-20T12:00:05.000Z' id: exec-001 startedAt: '2025-11-20T12:00:00.000Z' status: completed workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowName: Example definition id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition tags: - example valid: true size: 20 total: 1 description: Indicates a successful response summary: Get workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows?size=20&page=1 x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. operationId: post-workflows parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Whether to overwrite existing workflows. in: query name: overwrite required: false schema: default: false type: boolean requestBody: content: application/json: examples: bulkCreateWorkflowsRequestExample: description: Example request for creating multiple workflows at once value: workflows: - yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 yaml: | name: Second workflow enabled: false description: Another workflow triggers: - type: manual steps: - name: log_step type: console with: message: "Hello from second workflow" schema: additionalProperties: false type: object properties: workflows: items: type: object properties: id: maxLength: 255 minLength: 3 pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ type: string yaml: maxLength: 1048576 type: string required: - yaml maxItems: 500 type: array required: - workflows responses: '200': content: application/json: examples: bulkCreateWorkflowsResponseExample: description: Example response after creating multiple workflows value: created: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 name: Second workflow failures: [] total: 2 description: Indicates a successful response summary: Bulk create workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "workflows": [ { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } ] }' - lang: Console source: | POST kbn://api/workflows?overwrite=false { "workflows": [ { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } ] } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/aggs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/aggs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-aggs parameters: - description: Field or fields to aggregate on. in: query name: fields required: true schema: description: Fields to aggregate on. items: description: Field name to aggregate. type: string maxItems: 25 type: array responses: '200': content: application/json: examples: getAggsResponseExample: description: Example response with tag and createdBy aggregations value: createdBy: - doc_count: 2 key: elastic tags: - doc_count: 1 key: reporting - doc_count: 1 key: security - doc_count: 1 key: triage description: Indicates a successful response summary: Get workflow aggregations tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/aggs?fields=tags&fields=createdBy x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/connectors: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-connectors parameters: [] responses: '200': content: application/json: examples: getConnectorsResponseExample: description: Example response with available connector types and their instances value: connectorTypes: .email: actionTypeId: .email displayName: Email enabled: true enabledInConfig: true enabledInLicense: true instances: [] minimumLicenseRequired: gold subActions: - displayName: Send name: send .slack_api: actionTypeId: .slack_api displayName: Slack enabled: true enabledInConfig: true enabledInLicense: true instances: - id: slack-connector-1 isDeprecated: false isPreconfigured: false name: Team Notifications minimumLicenseRequired: gold subActions: - displayName: Post Message name: postMessage totalConnectors: 1 description: Indicates a successful response summary: Get available connectors tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/connectors" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/connectors x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string - description: Include execution input data. in: query name: includeInput required: false schema: default: false type: boolean - description: Include execution output data. in: query name: includeOutput required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getExecutionResponseExample: description: Example response returning a workflow execution with step details value: duration: 3000 executedBy: elastic finishedAt: '2025-11-20T12:00:03.000Z' id: exec-a1b2c3d4-e5f6-7890 input: message: hello world isTestRun: false output: hello world spaceId: default startedAt: '2025-11-20T12:00:00.000Z' status: completed stepExecutions: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 isTestRun: false scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-a1b2c3d4-e5f6-7890 triggeredBy: manual workflowDefinition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Get a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. operationId: post-workflows-executions-executionid-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow execution ID in: path name: executionId required: true schema: type: string responses: '200': description: Indicates a successful response summary: Cancel a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/executions/{executionId}/cancel x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}/children: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/children
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-children parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string responses: '200': content: application/json: examples: getChildrenExecutionsResponseExample: description: Example response returning child workflow executions spawned by sub-workflow steps value: - executionId: child-exec-001 parentStepExecutionId: step-exec-003 status: completed stepExecutions: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:07.000Z' globalExecutionIndex: 0 id: child-step-001 isTestRun: false scopeStack: [] startedAt: '2025-11-20T12:00:06.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 workflowRunId: child-exec-001 workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 workflowName: Child Workflow description: Indicates a successful response summary: Get child executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/children x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}/logs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/logs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-logs parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string - description: Filter logs by a specific step execution ID. in: query name: stepExecutionId required: false schema: type: string - description: Number of log entries per page. in: query name: size required: false schema: default: 100 maximum: 100 minimum: 1 type: number - description: Page number. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: Field to sort by. in: query name: sortField required: false schema: type: string - description: Sort order. in: query name: sortOrder required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: examples: getExecutionLogsResponseExample: description: Example response returning paginated execution logs value: logs: - additionalData: executionId: exec-a1b2c3d4-e5f6-7890 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 connectorType: console duration: 150 id: log-001 level: info message: Workflow execution started stepId: hello_world_step stepName: Hello World timestamp: '2025-11-20T12:00:01.000Z' - additionalData: executionId: exec-a1b2c3d4-e5f6-7890 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 connectorType: console duration: 200 id: log-002 level: info message: Step completed successfully stepId: hello_world_step stepName: Hello World timestamp: '2025-11-20T12:00:02.000Z' page: 1 size: 100 total: 2 description: Indicates a successful response summary: Get execution logs tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}/resume: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/executions/{executionId}/resume
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. operationId: post-workflows-executions-executionid-resume parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow execution ID in: path name: executionId required: true schema: type: string requestBody: content: application/json: examples: resumeExecutionRequestExample: description: Example request to resume a paused workflow execution value: input: approved: true comment: Approved by analyst schema: additionalProperties: false type: object properties: input: additionalProperties: {} description: Input data to resume the execution with. type: object required: - input responses: '200': content: application/json: examples: resumeExecutionResponseExample: description: Example response confirming the resume was scheduled value: executionId: exec-a1b2c3d4-e5f6-7890 message: Workflow resume scheduled success: true description: Indicates a successful response summary: Resume a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": { "approved": true, "comment": "Approved by analyst" } }' - lang: Console source: | POST kbn://api/workflows/executions/{executionId}/resume { "input": { "approved": true, "comment": "Approved by analyst" } } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/executions/{executionId}/step/{stepExecutionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-step-stepexecutionid parameters: - description: Workflow execution ID. in: path name: executionId required: true schema: type: string - description: Step execution ID. in: path name: stepExecutionId required: true schema: type: string responses: '200': content: application/json: examples: getStepExecutionResponseExample: description: Example response returning a single step execution value: error: null executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 input: message: hello world isTestRun: false output: hello world scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' state: null status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-a1b2c3d4-e5f6-7890 description: Indicates a successful response summary: Get a step execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: post-workflows-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: exportWorkflowsRequestExample: description: Example request to export workflows value: ids: - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to export. items: description: Workflow ID to export. maxLength: 255 type: string maxItems: 500 minItems: 1 type: array required: - ids responses: '200': content: application/json: examples: exportWorkflowsResponseExample: description: Workflow entries with YAML content and export manifest value: entries: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: |- name: My Workflow steps: - type: http.request with: url: https://example.com - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 yaml: |- name: Another Workflow steps: - type: http.request with: url: https://example.com manifest: exportedAt: '2026-03-26T12:00:00.000Z' exportedCount: 2 version: '1' description: JSON containing exported workflow YAML entries and manifest metadata summary: Export workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/export" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] }' - lang: Console source: | POST kbn://api/workflows/export { "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/mget: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/mget
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: post-workflows-mget parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: mgetWorkflowsRequestExample: description: Example request to retrieve multiple workflows by their IDs value: ids: - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 source: - name - enabled schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to look up. items: description: Workflow ID. maxLength: 255 type: string maxItems: 500 minItems: 1 type: array source: description: Array of source fields to include. items: description: Source field. maxLength: 255 type: string maxItems: 10 minItems: 1 type: array required: - ids responses: '200': content: application/json: examples: mgetWorkflowsResponseExample: description: Example response returning the requested workflows with projected fields value: - enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition - enabled: false id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 name: Second workflow description: Indicates a successful response summary: Get workflows by IDs tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/mget" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], "source": ["name", "enabled"] }' - lang: Console source: | POST kbn://api/workflows/mget { "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], "source": ["name", "enabled"] } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/schema: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-schema parameters: - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. in: query name: loose required: true schema: type: boolean responses: '200': content: application/json: examples: getSchemaResponseExample: description: Example response returning the workflow JSON schema (truncated) value: $schema: http://json-schema.org/draft-07/schema# type: object properties: description: type: string enabled: default: true type: boolean name: minLength: 1 type: string tags: items: type: string type: array version: const: '1' default: '1' description: The version of the workflow schema type: string required: - name - triggers - steps description: Indicates a successful response summary: Get workflow JSON schema tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/schema?loose=false x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/stats: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. operationId: get-workflows-stats parameters: [] responses: '200': content: application/json: examples: getStatsResponseExample: description: Example response with workflow counts and 30-day execution history value: executions: - cancelled: 1 completed: 45 date: '2025-11-20' failed: 2 timestamp: '2025-11-20T00:00:00.000Z' - cancelled: 0 completed: 50 date: '2025-11-21' failed: 0 timestamp: '2025-11-21T00:00:00.000Z' workflows: disabled: 3 enabled: 12 description: Indicates a successful response summary: Get workflow statistics tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/stats" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/stats x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/step/test: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/step/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-step-test parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: testStepRequestExample: description: Example request to test a single workflow step value: contextOverride: inputs: message: override message stepId: hello_world_step workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowYaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: contextOverride: additionalProperties: {} description: Context overrides for the step execution. type: object executionContext: additionalProperties: {} description: Execution context for the step execution. type: object stepId: description: ID of the step to test. type: string workflowId: description: ID of the workflow containing the step. type: string workflowYaml: description: YAML definition of the workflow containing the step. type: string required: - stepId - contextOverride - workflowYaml responses: '200': content: application/json: examples: testStepResponseExample: description: Example response returning the step test execution ID value: workflowExecutionId: step-test-exec-a1b2c3d4 description: Indicates a successful response summary: Test a workflow step tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/step/test" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "stepId": "hello_world_step", "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", "contextOverride": { "inputs": { "message": "override message" } } }' - lang: Console source: | POST kbn://api/workflows/step/test { "stepId": "hello_world_step", "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", "contextOverride": { "inputs": { "message": "override message" } } } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/test: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-test parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: testWorkflowByIdRequestExample: description: Example request to test a saved workflow by its ID value: inputs: message: test message workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 testWorkflowByYamlRequestExample: description: Example request to test an unsaved workflow YAML draft value: inputs: message: test message workflowYaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: inputs: additionalProperties: {} description: Key-value inputs for the test execution. type: object workflowId: description: ID of an existing workflow to test. type: string workflowYaml: description: YAML definition to test. type: string required: - inputs responses: '200': content: application/json: examples: testWorkflowResponseExample: description: Example response returning the test execution ID value: workflowExecutionId: test-exec-a1b2c3d4-e5f6 description: Indicates a successful response summary: Test a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/test" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "inputs": { "message": "test message" } }' - lang: Console source: | POST kbn://api/workflows/test { "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "inputs": { "message": "test message" } } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. operationId: post-workflows-workflow parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createWorkflowRequestExample: description: Example request for creating a workflow from a YAML definition value: yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" createWorkflowWithIdRequestExample: description: Example request for creating a workflow with a custom ID value: id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: id: maxLength: 255 minLength: 3 pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ type: string yaml: maxLength: 1048576 type: string required: - yaml responses: '200': content: application/json: examples: createWorkflowResponseExample: description: Example response returning the created workflow value: createdAt: '2025-11-20T10:30:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2025-11-20T10:30:00.000Z' lastUpdatedBy: elastic name: Example definition valid: true yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Create a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }' - lang: Console source: | POST kbn://api/workflows/workflow { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. operationId: delete-workflows-workflow-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. in: query name: force required: false schema: default: false type: boolean responses: '200': description: Indicates a successful response summary: Delete a workflow tags: - workflows x-codeSamples: - label: Soft delete (default) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - label: Hard delete (permanent) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/workflows/workflow/{id} x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-workflow-id parameters: - description: Workflow ID in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getWorkflowResponseExample: description: Example response returning a single workflow value: createdAt: '2025-11-20T10:30:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2025-11-21T14:00:00.000Z' lastUpdatedBy: elastic name: Example definition valid: true yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Get a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{id} x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. operationId: put-workflows-workflow-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateWorkflowEnableExample: description: Example request to enable a workflow and update its tags value: enabled: true tags: - production updateWorkflowFullExample: description: Example request to update multiple workflow fields value: description: Updated workflow description enabled: true name: Updated example tags: - example - updated yaml: | name: Updated example enabled: true description: Updated workflow description triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: description: type: string enabled: type: boolean name: type: string tags: items: type: string type: array yaml: type: string responses: '200': content: application/json: examples: updateWorkflowResponseExample: description: Example response returning the updated workflow value: enabled: false id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2026-03-23T13:38:59.568Z' lastUpdatedBy: elastic valid: true validationErrors: [] description: Indicates a successful response summary: Update a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "enabled": true, "tags": ["production"] }' - lang: Console source: | PUT kbn://api/workflows/workflow/{id} { "enabled": true, "tags": ["production"] } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{id}/clone: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{id}/clone
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. operationId: post-workflows-workflow-id-clone parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: cloneWorkflowResponseExample: description: Example response returning the cloned workflow with a new ID value: createdAt: '2025-11-22T11:00:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: false inputs: - default: hello world name: message type: string name: Example definition (copy) steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: false id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 lastUpdatedAt: '2025-11-22T11:00:00.000Z' lastUpdatedBy: elastic name: Example definition (copy) valid: true yaml: | name: Example definition (copy) enabled: false description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Clone a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/workflow/{id}/clone x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{id}/run: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{id}/run
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-workflow-id-run parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string requestBody: content: application/json: examples: runWorkflowRequestExample: description: Example request to execute a workflow with inputs value: inputs: message: hello from the API schema: additionalProperties: false type: object properties: inputs: additionalProperties: {} description: Key-value inputs for the workflow execution. type: object metadata: additionalProperties: {} description: Optional metadata for the execution. type: object required: - inputs responses: '200': content: application/json: examples: runWorkflowResponseExample: description: Example response returning the execution ID value: workflowExecutionId: exec-a1b2c3d4-e5f6-7890 description: Indicates a successful response summary: Run a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "inputs": { "message": "hello from the API" } }' - lang: Console source: | POST kbn://api/workflows/workflow/{id}/run { "inputs": { "message": "hello from the API" } } x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{workflowId}/executions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-workflow-workflowid-executions parameters: - description: Workflow ID in: path name: workflowId required: true schema: type: string - description: Filter by execution status. in: query name: statuses required: false schema: items: enum: - pending - waiting - waiting_for_input - running - completed - failed - cancelled - timed_out - skipped type: string maxItems: 9 type: array - description: Filter by execution type. in: query name: executionTypes required: false schema: items: enum: - test - production type: string maxItems: 2 type: array - description: Filter by the user who triggered the execution. in: query name: executedBy required: false schema: items: type: string maxItems: 100 type: array - description: Whether to exclude step-level execution data. in: query name: omitStepRuns required: false schema: type: boolean - description: Page number. in: query name: page required: false schema: minimum: 1 type: number - description: Number of results per page. in: query name: size required: false schema: maximum: 100 minimum: 1 type: number responses: '200': content: application/json: examples: getWorkflowExecutionsResponseExample: description: Example response returning a paginated list of executions for a workflow value: page: 1 results: - duration: 3000 error: null executedBy: elastic finishedAt: '2025-11-20T12:00:03.000Z' id: exec-001 isTestRun: false spaceId: default startedAt: '2025-11-20T12:00:00.000Z' status: completed triggeredBy: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - duration: 2000 error: message: Step 'hello_world_step' failed executedBy: elastic finishedAt: '2025-11-20T13:00:02.000Z' id: exec-002 isTestRun: false spaceId: default startedAt: '2025-11-20T13:00:00.000Z' status: failed triggeredBy: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 size: 20 total: 2 description: Indicates a successful response summary: Get workflow executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{workflowId}/executions/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. operationId: post-workflows-workflow-workflowid-executions-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: workflowId required: true schema: type: string responses: '200': description: Indicates a successful response summary: Cancel all active workflow executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/workflow/{workflowId}/executions/cancel x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /api/workflows/workflow/{workflowId}/executions/steps: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-workflow-workflowid-executions-steps parameters: - description: Workflow ID in: path name: workflowId required: true schema: type: string - description: Filter by step ID. in: query name: stepId required: false schema: type: string - description: Include step input data. in: query name: includeInput required: false schema: type: boolean - description: Include step output data. in: query name: includeOutput required: false schema: type: boolean - description: Page number for pagination. in: query name: page required: false schema: minimum: 1 type: number - description: Number of results per page. in: query name: size required: false schema: maximum: 100 minimum: 1 type: number responses: '200': content: application/json: examples: getWorkflowStepExecutionsResponseExample: description: Example response returning step execution records for a workflow value: results: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 input: message: hello world isTestRun: false scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-001 total: 1 description: Indicates a successful response summary: Get workflow step executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: A valid kql query to filter the SLO with example: 'slo.name:latency* and slo.tags : "prod"' in: query name: kqlQuery schema: type: string - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: items: type: string type: array - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: default: 1 type: integer - description: Number of SLOs returned by page example: 25 in: query name: perPage schema: default: 25 maximum: 5000 type: integer - description: Sort by field example: status in: query name: sortBy schema: default: status enum: - sli_value - status - error_budget_consumed - error_budget_remaining type: string - description: Sort order example: asc in: query name: sortDirection schema: default: asc enum: - asc - desc type: string - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: type: boolean responses: '200': content: application/json: examples: findSloResponse: summary: A paginated list of SLOs value: page: 1 perPage: 25 results: - budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom instanceId: '*' name: My Service Availability objective: target: 0.99 revision: 1 settings: frequency: 5m syncDelay: 5m summary: errorBudget: consumed: 0.17 initial: 0.01 isEstimated: false remaining: 0.83 sliValue: 0.9983 status: HEALTHY tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-01-12T10:03:19.000Z' version: 2 total: 42 schema: $ref: '#/components/schemas/SLOs_find_slo_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''invalid'' supplied to: sortBy' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get a paginated list of SLOs tags: - slo x-metaTags: - content: Kibana name: product_name post: description: | You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: createSloKqlExample: summary: Create an SLO with a KQL indicator value: budgetingMethod: occurrences description: Availability of my web service measured by successful HTTP responses indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: My Service Availability objective: target: 0.99 settings: frequency: 5m syncDelay: 5m tags: - production - web-service timeWindow: duration: 30d type: rolling schema: $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: examples: createSloResponse: summary: Create SLO response value: id: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_create_slo_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: indicator/type' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '409': content: application/json: examples: conflictExample: summary: Conflict value: error: Conflict message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists statusCode: 409 schema: $ref: '#/components/schemas/SLOs_409_response' description: Conflict - The SLO id already exists summary: Create an SLO tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete: post: description: | Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: bulkDeleteRequest: summary: Bulk delete two SLOs value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 - d077e940-1515-11ee-9c50-9d096392f520 schema: $ref: '#/components/schemas/SLOs_bulk_delete_request' required: true responses: '200': content: application/json: examples: bulkDeleteResponse: summary: Bulk delete response with task ID value: taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 schema: $ref: '#/components/schemas/SLOs_bulk_delete_response' description: Successful response '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: list' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: description: | Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: The task id of the bulk delete operation in: path name: taskId required: true schema: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string responses: '200': content: application/json: examples: bulkDeleteStatusComplete: summary: Completed bulk deletion value: isDone: true results: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 success: true - id: d077e940-1515-11ee-9c50-9d096392f520 success: true bulkDeleteStatusPartialFailure: summary: Completed with partial failure value: isDone: true results: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 success: true - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found id: d077e940-1515-11ee-9c50-9d096392f520 success: false schema: $ref: '#/components/schemas/SLOs_bulk_delete_status_response' description: Successful response '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: taskId' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Retrieve the status of the bulk deletion tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: description: | The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: purgeByAgeExample: summary: Purge rollup data older than 7 days value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 purgePolicy: age: 7d purgeType: fixed-age purgeByTimestampExample: summary: Purge rollup data before a specific date value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 - d077e940-1515-11ee-9c50-9d096392f520 purgePolicy: purgeType: fixed-time timestamp: '2024-12-31T00:00:00.000Z' schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: examples: bulkPurgeResponse: summary: Bulk purge response with task ID value: taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Batch delete rollup and summary data tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/_delete_instances: post: description: | The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: deleteInstancesExample: summary: Delete specific SLO instances value: list: - instanceId: host-abc123 sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - instanceId: host-def456 sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: list/0/sloId' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Batch delete rollup and summary data tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/{sloId}: delete: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Delete an SLO tags: - slo x-metaTags: - content: Kibana name: product_name get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' - description: the specific instanceId used by the summary calculation example: host-abcde in: query name: instanceId schema: type: string responses: '200': content: application/json: examples: getSloResponse: summary: Get SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom instanceId: '*' name: My Service Availability objective: target: 0.99 revision: 1 settings: frequency: 5m syncDelay: 5m summary: errorBudget: consumed: 0.17 initial: 0.01 isEstimated: false remaining: 0.83 sliValue: 0.9983 status: HEALTHY tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-01-12T10:03:19.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_with_summary_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get an SLO tags: - slo x-metaTags: - content: Kibana name: product_name put: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: examples: updateSloNameExample: summary: Update the SLO name and tags value: name: Updated Service Availability tags: - production - updated updateSloObjectiveExample: summary: Update the SLO objective value: objective: target: 0.995 schema: $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: examples: updateSloResponse: summary: Update SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: Updated Service Availability objective: target: 0.99 revision: 2 settings: frequency: 5m syncDelay: 5m tags: - production - updated timeWindow: duration: 30d type: rolling updatedAt: '2025-03-26T14:30:00.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: indicator/type' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Update an SLO tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: examples: resetSloResponse: summary: Reset SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: My Service Availability objective: target: 0.99 revision: 2 settings: frequency: 5m syncDelay: 5m tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-03-26T14:30:00.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Reset an SLO tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Disable an SLO tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Enable an SLO tags: - slo x-metaTags: - content: Kibana name: product_name /s/{spaceId}/internal/observability/slos/_definitions: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query name: includeOutdatedOnly schema: type: boolean - description: Indicates if the API returns SLO health data with definitions example: true in: query name: includeHealth schema: type: boolean - description: Filters the SLOs by tag in: query name: tags schema: type: string - description: Filters the SLOs by name example: my service availability in: query name: search schema: type: string - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: type: number - description: Number of SLOs returned by page example: 100 in: query name: perPage schema: default: 100 maximum: 1000 type: integer responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_find_slo_definitions_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Get the SLO definitions tags: - slo x-metaTags: - content: Kibana name: product_name components: examples: Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. value: alerting_framework_health: decryption_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' execution_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' read_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' has_permanent_encryption_key: true is_sufficiently_secure: true Alerting_get_rule_types_response: summary: Retrieve rule types associated with Kibana machine learning features value: - action_groups: - id: anomaly_score_match name: Anomaly score matched the condition - id: recovered name: Recovered action_variables: context: - description: The bucket timestamp of the anomaly name: timestamp - description: The bucket time of the anomaly in ISO8601 format name: timestampIso8601 - description: List of job IDs that triggered the alert name: jobIds - description: Alert info message name: message - description: Indicate if top hits contain interim results name: isInterim - description: Anomaly score at the time of the notification action name: score - description: Top records name: topRecords - description: Top influencers name: topInfluencers - description: URL to open in the Anomaly Explorer name: anomalyExplorerUrl useWithTripleBracesInTemplates: true params: [] state: [] alerts: context: ml.anomaly-detection mappings: fieldMap: kibana.alert.anomaly_score: array: false type: double required: false kibana.alert.anomaly_timestamp: array: false type: date required: false kibana.alert.is_interim: array: false type: boolean required: false kibana.alert.job_id: array: false type: keyword required: true kibana.alert.top_influencers: array: true dynamic: false type: object properties: influencer_field_name: type: keyword influencer_field_value: type: keyword influencer_score: type: double initial_influencer_score: type: double is_interim: type: boolean job_id: type: keyword timestamp: type: date required: false kibana.alert.top_records: array: true dynamic: false type: object properties: actual: type: double by_field_name: type: keyword by_field_value: type: keyword detector_index: type: integer field_name: type: keyword function: type: keyword initial_record_score: type: double is_interim: type: boolean job_id: type: keyword over_field_name: type: keyword over_field_value: type: keyword partition_field_name: type: keyword partition_field_value: type: keyword record_score: type: double timestamp: type: date typical: type: double required: false shouldWrite: true authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_score_match does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: true has_fields_for_a_a_d: true id: xpack.ml.anomaly_detection_alert is_exportable: true minimum_license_required: platinum name: Anomaly detection alert producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m - action_groups: - id: anomaly_detection_realtime_issue name: Issue detected - id: recovered name: Recovered action_variables: context: - description: Results of the rule execution name: results - description: Alert info message name: message params: [] state: [] authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_detection_realtime_issue does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: false has_fields_for_a_a_d: false id: xpack.ml.anomaly_detection_jobs_health is_exportable: true minimum_license_required: platinum name: Anomaly detection jobs health producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m APM_UI_agent_configuration_environments_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. value: environments: - alreadyConfigured: true name: production - alreadyConfigured: false name: development - alreadyConfigured: false name: ALL_OPTION_VALUE APM_UI_agent_configuration_intake_object_delete_200_response1: description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. value: result: deleted APM_UI_agent_configuration_intake_object_delete_request1: description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: service: environment: production name: frontend APM_UI_agent_configuration_intake_object_get_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: - '@timestamp': 1581934104843 agent_name: go applied_by_agent: false etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: opbeans-go settings: capture_body: 'off' transaction_max_spans: '200' transaction_sample_rate: '1' - '@timestamp': 1581934111727 agent_name: go applied_by_agent: false etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 service: name: opbeans-go settings: capture_body: 'off' transaction_max_spans: '300' transaction_sample_rate: '1' - '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: false etag: 5080ed25785b7b19f32713681e79f46996801a5b service: name: frontend settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_put_200_response1: description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. value: {} APM_UI_agent_configuration_intake_object_put_request1: description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: agent_name: nodejs service: environment: production name: frontend settings: capture_body: 'off' transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_configuration_intake_object_search_200_response1: description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: _id: CIaqXXABmQCdPphWj8EJ _index: .apm-agent-configuration _score: 2 _source: '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: false etag: 5080ed25785b7b19f32713681e79f46996801a5b service: name: frontend settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_search_request1: description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: frontend APM_UI_agent_configuration_intake_object_view_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. value: '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: true etag: 5080ed25785b7b19f32713681e79f46996801a5b id: CIaqXXABmQCdPphWj8EJ service: environment: production name: frontend settings: capture_body: 'off' transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_keys_object_post_200_response1: description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: agentKey: api_key: PjGloCGOTzaZr8ilUPvkjA encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== id: 3DCLmn0B3ZMhLUa7WBG9 name: apm-key APM_UI_agent_keys_object_post_request1: description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: name: apm-key privileges: - event:write - config_agent:read APM_UI_annotation_object_post_200_response1: description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: _id: Lc9I93EBh6DbmkeV7nFX _index: observability-annotations _primary_term: 1 _seq_no: 12 _source: '@timestamp': '2020-05-08T10:31:30.452Z' annotation: type: deployment event: created: '2020-05-09T02:34:43.937Z' message: Deployment 1.2 service: name: opbeans-java version: '1.2' tags: - apm - elastic.co - customer _version: 1 found: true APM_UI_annotation_object_post_request1: description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. value: '@timestamp': '2024-01-15T12:00:00.000Z' message: Deployment 1.2.0 service: environment: production version: 1.2.0 tags: - apm - deployment APM_UI_fleet_apm_server_schema_200_response1: description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. value: {} APM_UI_source_maps_delete_200_response1: description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. value: {} APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. value: artifacts: - body: bundleFilepath: /test/e2e/general-usecase/bundle.js serviceName: foo serviceVersion: 1.0.0 sourceMap: file: static/js/main.chunk.js mappings: mapping sourceRoot: '' sources: - fleet-source-map-client/src/index.css - fleet-source-map-client/src/App.js - webpack:///./src/index.css?bb0a - fleet-source-map-client/src/index.js - fleet-source-map-client/src/reportWebVitals.js sourcesContent: - content version: 3 compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 decodedSize: 441 encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 decodedSize: 441 encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap Cases_add_comment_request: summary: Adds a comment to a case. value: comment: A new comment. owner: cases type: user Cases_add_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: A new comment. created_at: '2022-10-02T00:49:47.716Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzIwNDMxLDFd connector: fields: null id: none name: none type: .none created_at: '2022-03-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: true description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 observables: [] owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 total_observables: 0 totalAlerts: 0 totalComment: 1 totalEvents: 0 updated_at: '2022-06-03T00:49:47.716Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIzMzgsMV0= Cases_create_case_request: summary: Create a security case that uses a Jira connector. value: connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value description: A case description. owner: cases settings: extractObservables: false syncAlerts: true tags: - tag-1 title: Case title 1 Cases_create_case_response: summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2022-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. duration: null external_service: null id: 66b9aa00-94fa-11ea-9f74-e7e108796192 observables: [] owner: cases settings: extractObservables: false syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 total_observables: 0 totalAlerts: 0 totalComment: 0 totalEvents: 0 updated_at: null updated_by: null version: WzUzMiwxXQ== Cases_find_case_activity_response: summary: Retrieves all activity for a case value: page: 1 perPage: 20 total: 3 userActions: - action: create comment_id: null created_at: '2023-10-20T01:17:22.150Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: b4cd0770-07c9-11ed-a5fd-47154cb8767e owner: cases payload: assignees: [] category: null connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 type: create_case version: WzM1ODg4LDFd - action: create comment_id: 578608d0-03b1-11ed-920c-974bfa104448 created_at: '2023-10-14T20:12:53.354Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 57af14a0-03b1-11ed-920c-974bfa104448 owner: cases payload: comment: comment: A new comment owner: cases type: user type: comment version: WzM1ODg4LDFa - action: add comment_id: null created_at: '2023-10-20T01:10:28.238Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 573c6980-6123-11ed-aa41-81a0a61fe447 owner: cases payload: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 type: assignees version: WzM1ODg4LDFb Cases_find_case_comments_response: summary: Paginated list of user comments for a case value: comments: - comment: A new comment created_at: '2023-10-07T19:32:13.104Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzIzLDFd page: 1 per_page: 20 total: 1 Cases_find_case_response: summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: null id: none name: none type: .none created_at: '2023-10-12T00:16:36.371Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: Case description duration: null external_service: null id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 incremental_id: 1 observables: [] owner: cases settings: extractObservables: false syncAlerts: true severity: low status: open tags: - tag-1 title: Case title total_observables: 0 totalAlerts: 0 totalComment: 1 totalEvents: 0 updated_at: '2023-10-12T00:27:58.162Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzExMCwxXQ== count_closed_cases: 0 count_in_progress_cases: 0 count_open_cases: 1 page: 1 per_page: 5 total: 1 Cases_find_connector_response: summary: Retrieve information about the connectors and their settings. value: - actionTypeId: .jira config: apiUrl: https://elastic.atlassian.net/ projectKey: ES id: 61787f53-4eee-4741-8df6-8fe84fa616f7 isDeprecated: false isMissingSecrets: false isPreconfigured: false name: my-Jira referencedByCount: 0 Cases_get_case_alerts_response: summary: Retrieves all alerts attached to a case value: - attached_at: '2022-07-25T20:09:40.963Z' id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d index: .alerts-observability.logs.alerts-default Cases_get_case_configuration_response: summary: Get the case configuration. value: - closure_type: close-by-user connector: fields: null id: none name: none type: .none created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null username: elastic customFields: - defaultValue: Custom text field value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 856ee650-6c82-11ee-a20a-6164169afa58 mappings: [] observableTypes: [] owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Default text field value. description: A default description for cases. settings: syncAlerts: false tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzEyLDNd Cases_get_case_observability_response: summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 category: null closed_at: null closed_by: null connector: fields: null id: none name: none type: .none created_at: '2023-11-06T19:29:04.086Z' created_by: email: null full_name: null username: elastic customFields: [] description: An Observability case description. duration: null external_service: null id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 observables: [] owner: observability settings: extractObservables: false syncAlerts: false severity: low status: in-progress tags: - observability - tag 1 title: Observability case title 1 total_observables: 0 totalAlerts: 1 totalComment: 1 totalEvents: 0 updated_at: '2023-11-06T19:47:55.662Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI0NywyXQ== Cases_get_case_response: summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: null closed_at: null closed_by: null connector: fields: null id: none name: none type: .none created_at: '2023-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description duration: null external_service: null id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa incremental_id: 1 observables: [] owner: cases settings: extractObservables: false syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 total_observables: 0 totalAlerts: 1 totalComment: 1 totalEvents: 0 updated_at: '2023-10-13T15:40:32.335Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzM2LDFd Cases_get_comment_response: summary: A single user comment retrieved from a case value: comment: A new comment created_at: '2023-10-07T19:32:13.104Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzIzLDFd Cases_get_reporters_response: summary: A list of two users that opened cases value: - email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic - email: jdoe@example.com full_name: Jane Doe profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 username: jdoe Cases_get_tags_response: summary: A list of tags that are used in cases value: - observability - security - tag 1 - tag 2 Cases_push_case_response: summary: The push case API returns a JSON object with details about the case and the external service. value: assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: Low id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 name: My connector type: .jira created_at: '2022-07-29T00:59:39.444Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: [] description: A case description. duration: null external_service: connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 connector_name: My connector external_id: '71926' external_title: ES-554 external_url: https://cases.jira.com pushed_at: '2022-07-29T01:20:58.436Z' pushed_by: email: null full_name: null username: elastic id: b917f300-0ed9-11ed-bd18-65557fe66949 observables: [] owner: cases settings: extractObservables: false syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 total_observables: 0 totalAlerts: 0 totalComment: 0 totalEvents: 0 updated_at: '2022-07-29T01:20:58.436Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzE3NjgsM10= Cases_response_401: summary: Authorization information is missing or invalid. value: error: Unauthorized message: Unable to authenticate with the provided credentials. statusCode: 401 Cases_set_case_configuration_request: summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 Cases_set_case_configuration_response: summary: This is an example response for case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null, full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: append source: comments target: comments - action_type: overwrite source: tags target: labels owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzIwNzMsMV0= Cases_update_case_configuration_request: summary: Update the case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false version: WzExOSw0XQ== Cases_update_case_configuration_response: summary: This is an example response when the case configuration was updated. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: overwrite source: tags target: labels - action_type: append source: comments target: comments owner: cases templates: [] updated_at: '2024-07-19T00:52:42.401Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI2LDNd Cases_update_case_request: summary: Update the case description, tags, and connector. value: cases: - connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value description: A case description. id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 settings: extractObservables: false syncAlerts: true tags: - tag-1 version: WzIzLDFd Cases_update_case_response: summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2023-10-13T09:16:17.416Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 connector_name: Jira external_id: '10003' external_title: IS-4 external_url: https://hms.atlassian.net/browse/IS-4 pushed_at: '2023-10-13T09:20:40.672Z' pushed_by: email: null full_name: null username: elastic id: 66b9aa00-94fa-11ea-9f74-e7e108796192 observables: [] owner: cases settings: extractObservables: false syncAlerts: true severity: low status: open tags: - tag-1 title: Case title 1 total_observables: 0 totalAlerts: 0 totalComment: 0 totalEvents: 0 updated_at: '2023-10-13T09:48:33.043Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzU0OCwxXQ== Cases_update_comment_request: summary: Updates a comment of a case. value: comment: An updated comment. id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases type: user version: Wzk1LDFd Cases_update_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: An updated comment. created_at: '2023-10-24T00:37:10.832Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases pushed_at: null pushed_by: null type: user updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM3LDFd connector: fields: null id: none name: none type: .none created_at: '2023-10-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 totalEvents: 0 updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM2LDFd Data_views_create_data_view_request: summary: Create a data view with runtime fields. value: data_view: name: My Logstash data view runtimeFieldMap: runtime_shape_name: script: source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_runtime_field_request: summary: Create a runtime field. value: name: runtimeFoo runtimeField: script: source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false fieldAttrs: products.manufacturer: count: 1 products.price: count: 1 products.product_name: count: 1 total_quantity: count: 1 fieldFormats: products.base_price: id: number params: pattern: $0,0.00 products.base_unit_price: id: number params: pattern: $0,0.00 products.min_price: id: number params: pattern: $0,0.00 products.price: id: number params: pattern: $0,0.00 products.taxful_price: id: number params: pattern: $0,0.00 products.taxless_price: id: number params: pattern: $0,0.00 taxful_total_price: id: number params: pattern: $0,0.[00] taxless_total_price: id: number params: pattern: $0,0.00 fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: category type: string currency: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: currency readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_birth_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: customer_birth_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date customer_first_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_first_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_first_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_first_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_first_name type: string customer_full_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_full_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_full_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_full_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_full_name type: string customer_gender: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_gender readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_last_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_last_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_last_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_last_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_last_name type: string customer_phone: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_phone readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: day_of_week readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week_i: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: day_of_week_i readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number email: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: email readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string event.dataset: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: event.dataset readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.city_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.city_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.continent_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.continent_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.country_iso_code: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.country_iso_code readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.location: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: geoip.location readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point geoip.region_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.region_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string manufacturer: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: manufacturer type: string order_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: order_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date order_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: order_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products._id: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products._id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products._id.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products._id.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products._id type: string products.base_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.base_unit_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products.category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.category type: string products.created_on: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: products.created_on readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date products.discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.discount_percentage: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_percentage readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.manufacturer: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.manufacturer type: string products.min_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.price: aggregatable: true count: 1 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_id: aggregatable: true count: 0 esTypes: - long format: id: number isMapped: true name: products.product_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_name: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.product_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.product_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.product_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.product_name type: string products.quantity: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: products.quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products.tax_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.tax_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxful_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxless_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.unit_discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.unit_discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string taxful_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number taxless_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_quantity: aggregatable: true count: 1 esTypes: - integer format: id: number isMapped: true name: total_quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_unique_products: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: total_unique_products readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number type: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: type readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string user: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: user readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default runtimeFieldMap: {} sourceFilters: [] timeFieldName: order_date title: kibana_sample_data_ecommerce typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: summary: The get all data views API returns a list of data views. value: data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default title: kibana_sample_data_ecommerce typeMeta: {} - id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights namespaces: - default title: kibana_sample_data_flights - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: Kibana Sample Data Logs namespaces: - default title: kibana_sample_data_logs Data_views_get_default_data_view_response: summary: The get default data view API returns the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false fieldAttrs: {} fieldFormats: AvgTicketPrice: id: number params: pattern: $0,0.[00] hour_of_day: id: number params: pattern: '00' fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source AvgTicketPrice: aggregatable: true count: 0 esTypes: - float format: id: number params: pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Cancelled: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: Cancelled readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean Carrier: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Carrier readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string dayOfWeek: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: dayOfWeek readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Dest: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Dest readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: DestLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point DestRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DistanceKilometers: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceKilometers readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number DistanceMiles: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceMiles readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelay: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: FlightDelay readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean FlightDelayMin: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: FlightDelayMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelayType: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightDelayType readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightNum: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightNum readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeHour: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightTimeHour readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeMin: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: FlightTimeMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number hour_of_day: aggregatable: true count: 0 esTypes: - long format: id: number params: pattern: '00' name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Origin: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Origin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: OriginLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point OriginRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string timestamp: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: timestamp readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights runtimeFieldMap: hour_of_day: script: source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp title: kibana_sample_data_flights version: WzM2LDJd fields: - aggregatable: true count: 0 esTypes: - long name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_set_default_data_view_request: summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_swap_data_view_request: summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_update_data_view_request: summary: Update some properties for a data view. value: data_view: allowNoIndex: false name: Kibana Sample Data eCommerce timeFieldName: order_date title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: summary: Update metadata for multiple fields. value: fields: field1: count: 123 customLabel: Field 1 label field2: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_runtime_field_request: summary: Update an existing runtime field on a data view. value: runtimeField: script: source: emit(doc["bar"].value) Machine_learning_APIs_mlSync401Example: summary: Two anomaly detection jobs required synchronization in this example. value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" statusCode: 401 Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: datafeedsAdded: {} datafeedsRemoved: {} savedObjectsCreated: anomaly-detector: myjob1: success: true myjob2: success: true savedObjectsDeleted: {} Observability_AI_Assistant_API_ChatCompleteRequestExample: summary: Example of completing a chat interaction value: | { "connectorId": "", "disableFunctions": false, "messages": [ { "@timestamp": "2025-06-25T23:45:00.000Z", "message": { "role": "user", "content": "Is my Elasticsearch cluster healthy right now?" } } ], "persist": false, "actions": [ { "name": "get_cluster_health", "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", "parameters": { "type": "object", "properties": { "includeShardStats": { "type": "boolean", "default": false } } } } ], "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] } Observability_AI_Assistant_API_ChatCompleteResponseExample: summary: Get a chat completion from the Observability AI Assistant value: | data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} data: [DONE] Saved_objects_key_rotation_response: summary: Encryption key rotation using default parameters. value: failed: 0 successful: 300 total: 1000 Saved_objects_resolve_missing_reference_request: value: file: file.ndjson retries: - id: my-pattern overwrite: true type: index-pattern - destinationId: another-vis id: my-vis overwrite: true type: visualization - destinationId: yet-another-canvas id: my-canvas overwrite: true type: canvas - id: my-dashboard type: dashboard Saved_objects_resolve_missing_reference_response: summary: Resolve missing reference errors. value: success: true successCount: 3 successResults: - id: my-vis meta: icon: visualizeApp title: Look at my visualization type: visualization - id: my-search meta: icon: searchApp title: Look at my search type: search - id: my-dashboard meta: icon: dashboardApp title: Look at my dashboard type: dashboard Security_Detections_API_SetAlertAssigneesBodyAdd: value: assignees: add: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 remove: [] ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 Security_Detections_API_SetAlertAssigneesBodyRemove: value: assignees: add: [] remove: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 Security_Detections_API_SetAlertTagsBodyAdd: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: - Duplicate tags_to_remove: [] Security_Detections_API_SetAlertTagsBodyRemove: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: [] tags_to_remove: - Duplicate Task_manager_health_APIs_health_200response: description: A successful response from `GET api/task_manager/_health`. value: |- { "id": "330bbc6a-56cd-44d5-88e3-e3229f14d619", "timestamp": "2025-03-21T21:30:04.780Z", "status": "OK", "last_update": "2025-03-21T21:30:04.455Z", "stats": { "configuration": { "timestamp": "2025-03-21T21:26:10.002Z", "value": { "request_capacity": 1000, "monitored_aggregated_stats_refresh_rate": 60000, "monitored_stats_running_average_window": 50, "monitored_task_execution_thresholds": { "custom": {}, "default": { "error_threshold": 90, "warn_threshold": 80 } }, "claim_strategy": "mget", "poll_interval": 500, "capacity": { "config": 10, "as_workers": 10, "as_cost": 20 } }, "status": "OK" }, "runtime": { "timestamp": "2025-03-21T21:30:04.455Z", "value": { "polling": { "last_successful_poll": "2025-03-21T21:30:04.455Z", "last_polling_delay": "2025-03-21T21:26:10.001Z", "claim_duration": { "p50": 17, "p90": 22, "p95": 25, "p99": 27 }, "duration": { "p50": 19, "p90": 25.5, "p95": 28, "p99": 28 }, "claim_conflicts": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_mismatches": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_stale_tasks": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "result_frequency_percent_as_number": { "Failed": 0, "NoAvailableWorkers": 0, "NoTasksClaimed": 100, "RanOutOfCapacity": 0, "RunningAtCapacity": 0, "PoolFilled": 0 }, "persistence": { "recurring": 88, "non_recurring": 12 } }, "drift": { "p50": 2089, "p90": 3037, "p95": 3037, "p99": 3037 }, "drift_by_type": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 2082, "p90": 2082, "p95": 2082, "p99": 2082 }, "fleet:check-deleted-files-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "osquery:telemetry-saved-queries": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 2089, "p90": 2089, "p95": 2089, "p99": 2089 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 336.5, "p90": 2089, "p95": 2089, "p99": 2089 }, "alerts_invalidate_api_keys": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "fleet:unenroll-inactive-agents-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "alerting_health_check": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "Fleet-Usage-Sender": { "p50": 2079, "p90": 2079, "p95": 2079, "p99": 2079 }, "security:endpoint-diagnostics": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-lists": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-timelines": { "p50": 2526, "p90": 2526, "p95": 2526, "p99": 2526 }, "cases-telemetry-task": { "p50": 2083, "p90": 2083, "p95": 2083, "p99": 2083 }, "osquery:telemetry-packs": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "Fleet-Metrics-Task": { "p50": 133.5, "p90": 2530, "p95": 2530, "p99": 2530 }, "fleet:delete-unenrolled-agents-task": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "osquery:telemetry-configs": { "p50": 2529, "p90": 2529, "p95": 2529, "p99": 2529 }, "endpoint:complete-external-response-actions": { "p50": 519, "p90": 2526, "p95": 2526, "p99": 2526 }, "security:telemetry-detection-rules": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:endpoint-meta-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-filterlist-artifact": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-diagnostic-timelines": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-configuration": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:indices-metadata-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "Fleet-Usage-Logger": { "p50": 2190, "p90": 2190, "p95": 2190, "p99": 2190 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 2189, "p90": 2189, "p95": 2189, "p99": 2189 }, "dashboard_telemetry": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "session_cleanup": { "p50": 2569, "p90": 2569, "p95": 2569, "p99": 2569 }, "ProductDocBase:EnsureUpToDate": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "apm-telemetry-task": { "p50": 2591, "p90": 2591, "p95": 2591, "p99": 2591 }, "ML:saved-objects-sync": { "p50": 2475, "p90": 2475, "p95": 2475, "p99": 2475 }, "apm-source-map-migration-task": { "p50": 1603.5, "p90": 2987, "p95": 2987, "p99": 2987 }, "actions_telemetry": { "p50": 771, "p90": 771, "p95": 771, "p99": 771 }, "alerting_telemetry": { "p50": 768, "p90": 768, "p95": 768, "p99": 768 }, "endpoint:metadata-check-transforms-task": { "p50": 834, "p90": 834, "p95": 834, "p99": 834 }, "endpoint:user-artifact-packager": { "p50": 529.5, "p90": 835, "p95": 835, "p99": 835 }, "fleet:bump_agent_policies": { "p50": 361, "p90": 361, "p95": 361, "p99": 361 } }, "load": { "p50": 10, "p90": 100, "p95": 100, "p99": 100 }, "execution": { "duration": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "fleet:check-deleted-files-task": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "osquery:telemetry-saved-queries": { "p50": 25, "p90": 25, "p95": 25, "p99": 25 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 28, "p90": 28, "p95": 28, "p99": 28 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 7.5, "p90": 29, "p95": 29, "p99": 29 }, "alerts_invalidate_api_keys": { "p50": 34, "p90": 34, "p95": 34, "p99": 34 }, "fleet:unenroll-inactive-agents-task": { "p50": 39, "p90": 39, "p95": 39, "p99": 39 }, "alerting_health_check": { "p50": 42, "p90": 42, "p95": 42, "p99": 42 }, "Fleet-Usage-Sender": { "p50": 78, "p90": 78, "p95": 78, "p99": 78 }, "security:endpoint-diagnostics": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-lists": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-timelines": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "cases-telemetry-task": { "p50": 458, "p90": 458, "p95": 458, "p99": 458 }, "osquery:telemetry-packs": { "p50": 10, "p90": 10, "p95": 10, "p99": 10 }, "Fleet-Metrics-Task": { "p50": 5, "p90": 10, "p95": 10, "p99": 10 }, "fleet:delete-unenrolled-agents-task": { "p50": 11, "p90": 11, "p95": 11, "p99": 11 }, "osquery:telemetry-configs": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "endpoint:complete-external-response-actions": { "p50": 7, "p90": 11, "p95": 11, "p99": 11 }, "security:telemetry-detection-rules": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:endpoint-meta-telemetry": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-filterlist-artifact": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-diagnostic-timelines": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-configuration": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:indices-metadata-telemetry": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "Fleet-Usage-Logger": { "p50": 18, "p90": 18, "p95": 18, "p99": 18 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 8, "p90": 8, "p95": 8, "p99": 8 }, "dashboard_telemetry": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "session_cleanup": { "p50": 58, "p90": 58, "p95": 58, "p99": 58 }, "ProductDocBase:EnsureUpToDate": { "p50": 147, "p90": 147, "p95": 147, "p99": 147 }, "apm-telemetry-task": { "p50": 543, "p90": 543, "p95": 543, "p99": 543 }, "ML:saved-objects-sync": { "p50": 544, "p90": 544, "p95": 544, "p99": 544 }, "apm-source-map-migration-task": { "p50": 1649, "p90": 3282, "p95": 3282, "p99": 3282 }, "actions_telemetry": { "p50": 19, "p90": 19, "p95": 19, "p99": 19 }, "alerting_telemetry": { "p50": 64, "p90": 64, "p95": 64, "p99": 64 }, "endpoint:metadata-check-transforms-task": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "endpoint:user-artifact-packager": { "p50": 10, "p90": 13, "p95": 13, "p99": 13 }, "fleet:bump_agent_policies": { "p50": 9, "p90": 9, "p95": 9, "p99": 9 } }, "duration_by_persistence": { "recurring": { "p50": 9, "p90": 63.39999999999999, "p95": 474.99999999999966, "p99": 544 }, "non_recurring": { "p50": 14, "p90": 2968.500000000001, "p95": 3282, "p99": 3282 } }, "persistence": { "recurring": 88, "non_recurring": 12 }, "result_frequency_percent_as_number": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:check-deleted-files-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-saved-queries": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:mark_removed_tasks_as_unrecognized": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:delete_inactive_background_task_nodes": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerts_invalidate_api_keys": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:unenroll-inactive-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_health_check": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Sender": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-diagnostics": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-lists": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "cases-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-packs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Metrics-Task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:delete-unenrolled-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-configs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:complete-external-response-actions": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-detection-rules": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-prebuilt-rule-alerts": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-meta-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-filterlist-artifact": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-diagnostic-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-configuration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:indices-metadata-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Logger": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "obs-ai-assistant:knowledge-base-migration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "dashboard_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "session_cleanup": { "Success": 0, "RetryScheduled": 100, "Failed": 0, "status": "OK" }, "ProductDocBase:EnsureUpToDate": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "ML:saved-objects-sync": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-source-map-migration-task": { "Success": 50, "RetryScheduled": 50, "Failed": 0, "status": "OK" }, "actions_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:metadata-check-transforms-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:user-artifact-packager": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:bump_agent_policies": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" } } } }, "status": "OK" }, "workload": { "timestamp": "2025-03-21T21:29:10.367Z", "value": { "count": 35, "cost": 70, "task_types": { "Fleet-Metrics-Task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Logger": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Sender": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "ML:saved-objects-sync": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "actions_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_health_check": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerts_invalidate_api_keys": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "apm-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "cases-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "dashboard_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:complete-external-response-actions": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:metadata-check-transforms-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:user-artifact-packager": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:check-deleted-files-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:delete-unenrolled-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:unenroll-inactive-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-configs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-packs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-saved-queries": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-diagnostics": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-meta-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:indices-metadata-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-configuration": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-detection-rules": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-diagnostic-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-filterlist-artifact": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-lists": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-prebuilt-rule-alerts": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "session_cleanup": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:delete_inactive_background_task_nodes": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:mark_removed_tasks_as_unrecognized": { "count": 1, "cost": 2, "status": { "idle": 1 } } }, "non_recurring": 1, "non_recurring_cost": 2, "schedule": [ [ "1m", 2 ], [ "60s", 2 ], [ "5m", 2 ], [ "10m", 1 ], [ "15m", 1 ], [ "45m", 1 ], [ "1h", 9 ], [ "3600s", 1 ], [ "60m", 1 ], [ "2h", 1 ], [ "720m", 2 ], [ "24h", 7 ], [ "1d", 3 ], [ "1440m", 1 ] ], "overdue": 0, "overdue_cost": 0, "overdue_non_recurring": 0, "estimated_schedule_density": [ 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "capacity_requirements": { "per_minute": 4, "per_hour": 46, "per_day": 27 } }, "status": "OK" }, "capacity_estimation": { "status": "OK", "reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)", "timestamp": "2025-03-21T21:30:04.780Z", "value": { "observed": { "observed_kibana_instances": 1, "max_throughput_per_minute_per_kibana": 1200, "max_throughput_per_minute": 1200, "minutes_to_drain_overdue": 0, "avg_recurring_required_throughput_per_minute": 5, "avg_recurring_required_throughput_per_minute_per_kibana": 5, "avg_required_throughput_per_minute": 149, "avg_required_throughput_per_minute_per_kibana": 149 }, "proposed": { "provisioned_kibana": 2, "min_required_kibana": 1, "avg_recurring_required_throughput_per_minute_per_kibana": 3, "avg_required_throughput_per_minute_per_kibana": 75 } } } } } get_connector_types_generativeai_response: summary: A list of connector types for the `generativeAI` feature. value: - id: .gen-ai name: OpenAI enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .bedrock name: AWS Bedrock enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .gemini name: Google Gemini enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity is_system_action_type: false get_connector_response: summary: Get connector details. value: id: df770e30-8b8b-11ed-a780-3b746c987a81 name: my_server_log_connector config: {} connector_type_id: .server-log is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false update_index_connector_request: summary: Update an index connector. value: name: updated-connector config: index: updated-index create_email_connector_request: summary: Create an email connector. value: name: email-connector-1 connector_type_id: .email config: from: tester@example.com hasAuth: true host: https://example.com port: 1025 secure: false service: other secrets: user: username password: password create_index_connector_request: summary: Create an index connector. value: name: my-connector connector_type_id: .index config: index: test-index create_webhook_connector_request: summary: Create a webhook connector with SSL authentication. value: name: my-webhook-connector connector_type_id: .webhook config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key secrets: crt: QmFnIEF0dH... key: LS0tLS1CRUdJ... password: my-passphrase create_xmatters_connector_request: summary: Create an xMatters connector with URL authentication. value: name: my-xmatters-connector connector_type_id: .xmatters config: usesBasic: false secrets: secretsUrl: https://example.com?apiKey=xxxxx create_email_connector_response: summary: A new email connector. value: id: 90a82c60-478f-11ee-a343-f98a117c727f connector_type_id: .email name: email-connector-1 config: from: tester@example.com service: other host: https://example.com port: 1025 secure: false hasAuth: true tenantId: null clientId: null oauthTokenUrl: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_index_connector_response: summary: A new index connector. value: id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad connector_type_id: .index name: my-connector config: index: test-index refresh: false executionTimeField: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_webhook_connector_response: summary: A new webhook connector. value: id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd name: my-webhook-connector config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key verificationMode: full headers: null hasAuth: true connector_type_id: .webhook is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false run_index_connector_request: summary: Run an index connector. value: params: documents: - id: my_doc_id name: my_doc_name message: hello, world run_jira_connector_request: summary: Run a Jira connector to retrieve the list of issue types. value: params: subAction: issueTypes run_servicenow_itom_connector_request: summary: Run a ServiceNow ITOM connector to retrieve the list of choices. value: params: subAction: getChoices subActionParams: fields: - severity - urgency run_slack_api_connector_request: summary: Run a Slack connector that uses the web API method to post a message on a channel. value: params: subAction: postMessage subActionParams: channelIds: - C123ABC456 text: A test message. run_swimlane_connector_request: summary: Run a Swimlane connector to create an incident. value: params: subAction: pushToService subActionParams: comments: - commentId: 1 comment: A comment about the incident. incident: caseId: '1000' caseName: Case name description: Description of the incident. run_index_connector_response: summary: Response from running an index connector. value: connector_id: fd38c600-96a5-11ed-bb79-353b74189cba data: errors: false items: - create: _id: 4JtvwYUBrcyxt2NnfW3y _index: my-index _primary_term: 1 _seq_no: 0 _shards: failed: 0 successful: 1 total: 2 _version: 1 result: created status: 201 took: 135 status: ok run_jira_connector_response: summary: Response from retrieving the list of issue types for a Jira connector. value: connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 data: - id: 10024 name: Improvement - id: 10006 name: Task - id: 10007 name: Sub-task - id: 10025 name: New Feature - id: 10023 name: Bug - id: 10000 name: Epic status: ok run_server_log_connector_response: summary: Response from running a server log connector. value: connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 status: ok run_servicenow_itom_connector_response: summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. value: connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 data: - dependent_value: '' element: severity label: Critical value: 1 - dependent_value: '' element: severity label: Major value: 2 - dependent_value: '' element: severity label: Minor value: 3 - dependent_value: '' element: severity label: Warning value: 4 - dependent_value: '' element: severity label: OK value: 5 - dependent_value: '' element: severity label: Clear value: 0 - dependent_value: '' element: urgency label: 1 - High value: 1 - dependent_value: '' element: urgency label: 2 - Medium value: 2 - dependent_value: '' element: urgency label: 3 - Low value: 3 status: ok run_slack_api_connector_response: summary: Response from posting a message with a Slack connector. value: status: ok data: ok: true channel: C123ABC456 ts: '1234567890.123456' message: bot_id: B12BCDEFGHI type: message text: A test message user: U12A345BC6D ts: '1234567890.123456' app_id: A01BC2D34EF blocks: - type: rich_text block_id: /NXe elements: - type: rich_text_section elements: - type: text text: A test message. team: T01ABCDE2F bot_profile: id: B12BCDEFGHI app_id: A01BC2D34EF name: test icons: image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png deleted: false updated: 1672169705 team_id: T01ABCDE2F connector_id: .slack_api run_swimlane_connector_response: summary: Response from creating a Swimlane incident. value: connector_id: a4746470-2f94-11ed-b0e0-87533c532698 data: id: aKPmBHWzmdRQtx6Mx title: TEST-457 url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx pushedDate: '2022-09-08T16:52:27.866Z' comments: - commentId: 1 pushedDate: '2022-09-08T16:52:27.865Z' status: ok get_connectors_response: summary: A list of connectors value: - id: preconfigured-email-connector name: my-preconfigured-email-notification connector_type_id: .email is_preconfigured: true is_deprecated: false referenced_by_count: 0 is_system_action: false - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 name: my-index-connector config: index: test-index refresh: false executionTimeField: null connector_type_id: .index is_preconfigured: false is_deprecated: false referenced_by_count: 2 is_missing_secrets: false is_system_action: false get_roles_response1: summary: Get all role details value: - name: my_kibana_role description: My kibana role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: indices: [] cluster: [] run_as: [] kibana: - base: - all feature: {} spaces: - '*' - name: my_admin_role description: My admin role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all field_security: grant: - title - body query: '{\"match\": {\"title\": \"foo\"}}' kibana: [] get_role_response1: summary: Get role details value: name: my_kibana_role description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all remote_cluster: - privileges: - monitor_enrich clusters: - remote_cluster1 indices: - names: - index1 - index2 privileges: - all allow_restricted_indices: false remote_indices: - names: - remote_index1 - remote_index2 privileges: - all allow_restricted_indices: false clusters: - remote_cluster1 run_as: [] kibana: - base: - all feature: {} spaces: - default _transform_error: [] _unrecognized_applications: [] create_role_request1: summary: Feature privileges in multiple spaces description: Grant access to various features in some spaces. value: description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: discover: - all dashboard: - all spaces: - default - base: - read spaces: - marketing - sales create_role_request2: summary: Dashboard privileges in a space description: Grant access to dashboard features in a Marketing space. value: description: Grant dashboard access in the Marketing space. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: dashboard: - read spaces: - marketing create_role_request3: summary: Feature privileges in a space description: Grant full access to all features in the default space. value: metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: - all feature: {} spaces: - default create_role_request4: summary: Elasticsearch and Kibana feature privileges description: Grant Elasticsearch and Kibana feature privileges. value: description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. metadata: version: 1 elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all remote_indices: - clusters: - remote_cluster1 names: - remote_index1 - remote_index2 privileges: - all remote_cluster: - clusters: - remote_cluster1 privileges: - monitor_enrich kibana: - base: - all feature: {} spaces: - default copy_saved_objects_request1: summary: Copy with createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true copy_saved_objects_request2: summary: Copy without createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true createNewCopies: false copy_saved_objects_response1: summary: Copy with createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response2: summary: Copy without createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response3: summary: Failed copy response with conflict errors description: | A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. value: marketing: success: true successCount: 4 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* sales: success: false successCount: 1, errors: - id: my-pattern type: index-pattern title: my-pattern-* error: type: conflict meta: icon: indexPatternApp title: my-pattern-* - id: my-visualization type: my-vis title: Look at my visualization error: type: conflict destinationId: another-vis meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad title: Look at my canvas error: type: ambiguous_conflict destinations: - id: another-canvas title: Look at another canvas updatedAt: '2020-07-08T16:36:32.377Z' - id: yet-another-canvas title: Look at yet another canvas updatedAt: '2020-07-05T12:29:54.849Z' meta: icon: canvasApp title: Look at my canvas successResults": - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard copy_saved_objects_response4: summary: Failed copy with missing reference errors description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. value: marketing: success: false successCount: 2 errors: - id: my-vis type: visualization title: Look at my visualization error: type: missing_references references: - type: index-pattern id: my-pattern-* meta: icon: visualizeApp title: Look at my visualization successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas disable_legacy_url_request1: summary: Disable legacy URL aliases description: | This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. value: aliases: - targetSpace: bills-space targetType: dashboard sourceId: 123 resolve_copy_saved_objects_request1: summary: Resolve conflict errors description: | Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: sales: - type: index-pattern id: my-pattern overwrite: true - type: visualization id: my-vis overwrite: true, destinationId: another-vis - type: canvas id: my-canvas overwrite: true destinationId: yet-another-canvas - type: dashboard id: my-dashboard resolve_copy_saved_objects_request2: summary: Resolve missing reference errors description: | Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: marketing: - type: visualization id: my-vis ignoreMissingReferences: true - type: canvas id: my-canvas - type: dashboard id: my-dashboard update_saved_objects_spaces_request1: summary: Update saved object spaces description: Update the spaces of each saved object and all its references. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spacesToAdd: - test spacesToRemove: [] update_saved_objects_spaces_response1: summary: Update saved object spaces description: | The response from updating the spaces of saved objects. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spaces: - default - test get_spaces_response1: summary: Get all spaces description: Get all spaces without specifying any options. value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - id: sales name: Sales initials: MK disabledFeatures: - discover imageUr": '' solution: oblt get_spaces_response2: summary: Get all spaces with custom options description: | The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: sales name: Sales initials: MK disabledFeatures: - discover imageUrl: '' authorizedPurposes: any: true copySavedObjectsIntoSpace: false findSavedObjects: true shareSavedObjectsIntoSpace: false create_space_request: summary: Create a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== get_space_response: summary: Get details about a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' solution: es update_space_request: summary: Update a marketing space description: Update the marketing space to remove the imageUrl. value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use in: header name: elastic-api-version required: true schema: default: '2023-10-31' enum: - '2023-10-31' type: string APM_UI_kbn_xsrf: description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string Cases_alert_id: description: An identifier for the alert. in: path name: alertId required: true schema: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: description: | Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true schema: example: 9c235210-6834-11ea-a78c-6ffb38a34414 type: string Cases_category: description: Filters the returned cases by category. in: query name: category schema: oneOf: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: description: | The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs. in: path name: commentId required: true schema: example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 type: string Cases_configuration_id: description: An identifier for the configuration. in: path name: configurationId required: true schema: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string Cases_connector_id: description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. in: path name: connectorId required: true schema: example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 type: string Cases_defaultSearchOperator: description: he default operator to use for the simple_query_string. example: OR in: query name: defaultSearchOperator schema: default: OR type: string Cases_from: description: | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. in: query name: from schema: example: now-1d type: string Cases_ids: description: | The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` in: query name: ids required: true schema: items: example: d4e7abb0-b462-11ec-9a8d-698504725a43 maxItems: 100 minItems: 1 type: string type: array Cases_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Cases_owner_filter: description: | A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. example: cases in: query name: owner schema: oneOf: - $ref: '#/components/schemas/Cases_owner' - $ref: '#/components/schemas/Cases_owners' Cases_page_index: description: The page number to return. example: 1 in: query name: page required: false schema: default: 1 type: integer Cases_page_size: description: The number of items to return. Limited to 100 items. example: 20 in: query name: perPage required: false schema: default: 20 maximum: 100 type: integer Cases_reporters: description: Filters the returned cases by the user name of the reporter. example: elastic in: query name: reporters schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_search: description: An Elasticsearch simple_query_string query that filters the objects in the response. example: Case title 1 in: query name: search schema: type: string Cases_searchFields: description: The fields to perform the simple_query_string parsed query against. in: query name: searchFields schema: oneOf: - $ref: '#/components/schemas/Cases_searchFieldsType' - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' Cases_severity: description: The severity of the case. example: low in: query name: severity schema: enum: - critical - high - low - medium type: string Cases_sort_order: description: Determines the sort order. example: desc in: query name: sortOrder required: false schema: default: desc enum: - asc - desc type: string Cases_sortField: description: Determines which field is used to sort the results. example: updatedAt in: query name: sortField schema: default: createdAt enum: - createdAt - updatedAt - closedAt - title - category - status - severity type: string Cases_status: description: Filters the returned cases by state. example: open in: query name: status schema: enum: - closed - in-progress - open type: string Cases_tags: description: Filters the returned cases by tags. example: tag-1 in: query name: tags schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_to: description: | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. example: now+1d in: query name: to schema: type: string Cases_user_action_types: description: Determines the types of user actions to return. in: query name: types schema: items: enum: - action - alert - assignees - attachment - comment - connector - create_case - description - pushed - settings - severity - status - tags - title - user example: create_case type: string type: array Data_views_field_name: description: The name of the runtime field. in: path name: fieldName required: true schema: example: hour_of_day type: string Data_views_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Data_views_view_id: description: An identifier for the data view. in: path name: viewId required: true schema: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string Machine_learning_APIs_simulateParam: description: When true, simulates the synchronization by returning only the list of actions that would be performed. example: 'true' in: query name: simulate required: false schema: type: boolean Saved_objects_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Saved_objects_saved_object_id: description: An identifier for the saved object. in: path name: id required: true schema: type: string Saved_objects_saved_object_type: description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. in: path name: type required: true schema: type: string Short_URL_APIs_idParam: description: The identifier for the short URL. in: path name: id required: true schema: type: string SLOs_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string SLOs_slo_id: description: An identifier for the slo. in: path name: sloId required: true schema: example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string SLOs_space_id: description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. in: path name: spaceId required: true schema: example: default type: string schemas: Alerting_401_response: properties: error: enum: - Unauthorized example: Unauthorized type: string message: type: string statusCode: enum: - 401 example: 401 type: integer title: Unsuccessful rule API response type: object Alerting_fieldmap_properties: title: Field map objects in the get rule types response type: object properties: array: description: Indicates whether the field is an array. type: boolean dynamic: description: Indicates whether it is a dynamic field mapping. type: boolean format: description: | Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. type: string ignore_above: description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. type: integer index: description: Indicates whether field values are indexed. type: boolean path: description: TBD type: string properties: additionalProperties: type: object properties: type: description: The data type for each object property. type: string description: | Details about the object properties. This property is applicable when `type` is `object`. type: object required: description: Indicates whether the field is required. type: boolean scaling_factor: description: | The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. type: integer type: description: Specifies the data type for the field. example: scaled_float type: string APM_UI_400_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 400 type: number APM_UI_401_response: type: object properties: error: description: Error type example: Unauthorized type: string message: description: Error message type: string statusCode: description: Error status code example: 401 type: number APM_UI_403_response: type: object properties: error: description: Error type example: Forbidden type: string message: description: Error message type: string statusCode: description: Error status code example: 403 type: number APM_UI_404_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 404 type: number APM_UI_500_response: type: object properties: error: description: Error type example: Internal Server Error type: string message: description: Error message type: string statusCode: description: Error status code example: 500 type: number APM_UI_501_response: type: object properties: error: description: Error type example: Not Implemented type: string message: description: Error message example: Not Implemented type: string statusCode: description: Error status code example: 501 type: number APM_UI_agent_configuration_intake_object: type: object properties: agent_name: description: The agent name is used by the UI to determine which settings to display. type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings APM_UI_agent_configuration_object: description: Agent configuration type: object properties: '@timestamp': description: Timestamp example: 1730194190636 type: number agent_name: description: Agent name type: string applied_by_agent: description: Applied by agent example: true type: boolean etag: description: | `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings - '@timestamp' - etag APM_UI_agent_configurations_response: type: object properties: configurations: description: Agent configuration items: $ref: '#/components/schemas/APM_UI_agent_configuration_object' type: array APM_UI_agent_keys_object: type: object properties: name: description: The name of the APM agent key. type: string privileges: description: | The APM agent key privileges. It can take one or more of the following values: * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. items: enum: - event:write - config_agent:read type: string type: array required: - name - privileges APM_UI_agent_keys_response: type: object properties: agentKey: description: Agent key type: object properties: api_key: type: string encoded: type: string expiration: format: int64 type: integer id: type: string name: type: string required: - id - name - api_key - encoded APM_UI_annotation_search_response: type: object properties: annotations: description: Annotations items: type: object properties: '@timestamp': type: number id: type: string text: type: string type: enum: - version type: string type: array APM_UI_base_source_map_object: type: object properties: compressionAlgorithm: description: Compression Algorithm type: string created: description: Created date type: string decodedSha256: description: Decoded SHA-256 type: string decodedSize: description: Decoded size type: number encodedSha256: description: Encoded SHA-256 type: string encodedSize: description: Encoded size type: number encryptionAlgorithm: description: Encryption Algorithm type: string id: description: Identifier type: string identifier: description: Identifier type: string packageName: description: Package name type: string relative_url: description: Relative URL type: string type: description: Type type: string APM_UI_create_annotation_object: type: object properties: '@timestamp': description: The date and time of the annotation. It must be in ISO 8601 format. type: string message: description: The message displayed in the annotation. It defaults to `service.version`. type: string service: description: The service that identifies the configuration to create or update. type: object properties: environment: description: The environment of the service. type: string version: description: The version of the service. type: string required: - version tags: description: | Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. items: type: string type: array required: - '@timestamp' - service APM_UI_create_annotation_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _source: description: Response type: object properties: '@timestamp': type: string annotation: type: object properties: title: type: string type: type: string event: type: object properties: created: type: string message: type: string service: type: object properties: environment: type: string name: type: string version: type: string tags: items: type: string type: array APM_UI_delete_agent_configurations_response: type: object properties: result: description: Result type: string APM_UI_delete_service_object: description: Service type: object properties: service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_object: type: object properties: error: description: | If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. This is useful for cases where the agent configuration was not applied successfully. type: string etag: description: If etags match then `applied_by_agent` field will be set to `true` example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string mark_as_applied_by_agent: description: | `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags type: boolean service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _score: description: Score type: number _source: $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_service_agent_name_response: type: object properties: agentName: description: Agent name example: nodejs type: string APM_UI_service_environment_object: type: object properties: alreadyConfigured: description: Already configured type: boolean name: description: Service environment name example: ALL_OPTION_VALUE type: string APM_UI_service_environments_response: type: object properties: environments: description: Service environment list items: $ref: '#/components/schemas/APM_UI_service_environment_object' type: array APM_UI_service_object: description: Service type: object properties: environment: description: The environment of the service. example: prod type: string name: description: The name of the service. example: node type: string APM_UI_settings_object: additionalProperties: type: string description: Agent configuration settings type: object APM_UI_single_agent_configuration_response: allOf: - type: object properties: id: type: string required: - id - $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_source_maps_response: type: object properties: artifacts: description: Artifacts items: allOf: - type: object properties: body: type: object properties: bundleFilepath: type: string serviceName: type: string serviceVersion: type: string sourceMap: type: object properties: file: type: string mappings: type: string sourceRoot: type: string sources: items: type: string type: array sourcesContent: items: type: string type: array version: type: number - $ref: '#/components/schemas/APM_UI_base_source_map_object' type: array APM_UI_upload_source_map_object: type: object properties: bundle_filepath: description: The absolute path of the final bundle as used in the web application. type: string service_name: description: The name of the service that the service map should apply to. type: string service_version: description: The version of the service that the service map should apply to. type: string sourcemap: description: | The source map. It can be a string or file upload. It must follow the [source map format specification](https://tc39.es/ecma426/). format: binary type: string required: - service_name - service_version - bundle_filepath - sourcemap APM_UI_upload_source_maps_response: allOf: - type: object properties: body: type: string - $ref: '#/components/schemas/APM_UI_base_source_map_object' Cases_actions: enum: - add - create - delete - push_to_service - update example: create type: string Cases_add_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string required: - alertId - index - owner - rule - type title: Add case comment request properties for alerts Cases_add_case_comment_request: description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_add_alert_comment_request_properties' user: '#/components/schemas/Cases_add_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' title: Add case comment request Cases_add_case_file_request: description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. type: object properties: file: description: The file being attached to the case. format: binary type: string filename: description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** type: string required: - file title: Add case file request properties Cases_add_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string required: - comment - owner - type title: Add case comment request properties for user comments type: object Cases_alert_comment_response_properties: title: Add case comment response properties for alerts type: object properties: alertId: items: example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 type: string type: array created_at: example: '2023-11-06T19:29:38.424Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 73362370-ab1a-11ec-985f-97e55adae8b9 type: string index: items: example: .internal.alerts-security.alerts-default-000001 type: string type: array owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 nullable: true type: string name: description: The rule name. example: security_rule nullable: true type: string type: enum: - alert example: alert type: string updated_at: format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzMwNDgsMV0= type: string required: - type Cases_alert_identifiers: description: | The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert identifiers x-state: Technical preview Cases_alert_indices: description: | The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert indices x-state: Technical preview Cases_alert_response_properties: type: object properties: attached_at: format: date-time type: string id: description: The alert identifier. type: string index: description: The alert index. type: string Cases_assignees: description: An array containing users that are assigned to the case. items: type: object properties: uid: description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 type: string required: - uid maxItems: 10 nullable: true type: array Cases_attachment_totals: description: Counts of alerts, events, and user comments attached to a case. properties: alerts: description: Number of alert attachments on the case. type: integer events: description: Number of event attachments on the case. type: integer userComments: description: Number of user comment attachments on the case. type: integer required: - alerts - events - userComments title: Attachment totals type: object Cases_case_categories: items: $ref: '#/components/schemas/Cases_case_category' maxItems: 100 type: array Cases_case_category: description: A word or phrase that categorizes the case. maxLength: 50 type: string Cases_case_close_sync_reason: description: | The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user. oneOf: - enum: - false_positive - duplicate - true_positive - benign_positive - automated_closure - other type: string - type: string Cases_case_description: description: The description for the case. maxLength: 30000 type: string Cases_case_observable: description: A single observable attached to a case. properties: createdAt: description: When the observable was created. example: '2024-11-14T10:00:00.000Z' format: date-time type: string description: description: An optional description for the observable. example: Source IP nullable: true type: string id: description: The observable identifier. example: df927ab8-54ed-47d6-be07-9948c255c097 type: string typeKey: description: The observable type key. example: observable-type-ipv4 type: string updatedAt: description: When the observable was last updated. example: '2024-11-14T10:00:00.000Z' format: date-time nullable: true type: string value: description: The observable value. example: 10.0.0.8 type: string required: - id - typeKey - value - description - createdAt - updatedAt title: Case observable type: object Cases_case_response_closed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for closed_by type: object Cases_case_response_created_by_properties: title: Case response properties for created_by type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username Cases_case_response_get_case: description: | Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments. properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: description: The case category. nullable: true type: string closed_at: format: date-time nullable: true type: string closed_by: $ref: '#/components/schemas/Cases_case_response_closed_by_properties' connector: discriminator: mapping: .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' .jira: '#/components/schemas/Cases_connector_properties_jira' .none: '#/components/schemas/Cases_connector_properties_none' .resilient: '#/components/schemas/Cases_connector_properties_resilient' .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' title: Case response properties for connectors created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' customFields: description: Custom field values for the case. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean type: array description: example: A case description. type: string duration: description: | The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. example: 120 nullable: true type: integer external_service: $ref: '#/components/schemas/Cases_external_service' id: example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string incremental_id: description: | A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. example: 1 nullable: true type: integer observables: description: Observables attached to the case. items: $ref: '#/components/schemas/Cases_case_observable' type: array owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: example: - tag-1 items: type: string type: array title: example: Case title 1 type: string total_observables: description: The number of observables attached to the case. example: 0 nullable: true type: integer totalAlerts: example: 0 type: integer totalComment: description: The number of user comments on the case. Use the find case comments API to retrieve comment content. example: 1 type: integer totalEvents: description: The number of events attached to the case. example: 0 type: integer updated_at: format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzUzMiwxXQ== type: string required: - closed_at - closed_by - connector - created_at - created_by - description - duration - external_service - id - observables - owner - settings - severity - status - tags - title - totalAlerts - totalComment - total_observables - updated_at - updated_by - version title: Get case response type: object Cases_case_response_properties: title: Case response properties type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: description: The case category. nullable: true type: string closed_at: format: date-time nullable: true type: string closed_by: $ref: '#/components/schemas/Cases_case_response_closed_by_properties' comments: description: An array of comment objects for the case. items: discriminator: mapping: alert: '#/components/schemas/Cases_alert_comment_response_properties' event: '#/components/schemas/Cases_event_comment_response_properties' user: '#/components/schemas/Cases_user_comment_response_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_event_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' maxItems: 10000 title: Case response properties for comments type: array connector: discriminator: mapping: .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' .jira: '#/components/schemas/Cases_connector_properties_jira' .none: '#/components/schemas/Cases_connector_properties_none' .resilient: '#/components/schemas/Cases_connector_properties_resilient' .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' title: Case response properties for connectors created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' customFields: description: Custom field values for the case. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean type: array description: example: A case description. type: string duration: description: | The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. example: 120 nullable: true type: integer external_service: $ref: '#/components/schemas/Cases_external_service' id: example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string incremental_id: description: | A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. example: 1 nullable: true type: integer observables: description: Observables attached to the case. items: $ref: '#/components/schemas/Cases_case_observable' type: array owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: example: - tag-1 items: type: string type: array title: example: Case title 1 type: string total_observables: description: The number of observables attached to the case. example: 0 nullable: true type: integer totalAlerts: example: 0 type: integer totalComment: example: 0 type: integer totalEvents: description: The number of events attached to the case. example: 0 type: integer updated_at: format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzUzMiwxXQ== type: string required: - closed_at - closed_by - comments - connector - created_at - created_by - description - duration - external_service - id - observables - owner - settings - severity - status - tags - title - totalAlerts - totalComment - total_observables - updated_at - updated_by - version Cases_case_response_pushed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for pushed_by type: object Cases_case_response_updated_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for updated_by type: object Cases_case_severity: description: The severity of the case. enum: - critical - high - low - medium type: string Cases_case_status: description: The status of the case. enum: - closed - in-progress - open type: string Cases_case_tags: description: | The words and phrases that help categorize cases. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_case_title: description: A title for the case. maxLength: 160 type: string Cases_closure_types: description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). enum: - close-by-pushing - close-by-user example: close-by-user type: string Cases_connector_properties_cases_webhook: description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: fields: example: null nullable: true type: string id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .cases-webhook example: .cases-webhook type: string required: - fields - id - name - type title: Create or upate case request properties for Cases Webhook connector Cases_connector_properties_jira: description: Defines properties for connectors when type is `.jira`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: issueType: description: The type of issue. nullable: true type: string parent: description: The key of the parent issue, when the issue type is sub-task. nullable: true type: string priority: description: The priority of the issue. nullable: true type: string required: - issueType - parent - priority id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .jira example: .jira type: string required: - fields - id - name - type title: Create or update case request properties for a Jira connector Cases_connector_properties_none: description: Defines properties for connectors when type is `.none`. type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. example: null nullable: true type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string type: description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. enum: - .none example: .none type: string required: - fields - id - name - type title: Create or update case request properties for no connector Cases_connector_properties_resilient: description: Defines properties for connectors when type is `.resilient`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. nullable: true type: object properties: issueTypes: description: The type of incident. items: type: string type: array severityCode: description: The severity code of the incident. type: string required: - issueTypes - severityCode id: description: The identifier for the connector. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .resilient example: .resilient type: string required: - fields - id - name - type title: Create case request properties for a IBM Resilient connector Cases_connector_properties_servicenow: description: Defines properties for connectors when type is `.servicenow`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string impact: description: The effect an incident had on business. nullable: true type: string severity: description: The severity of the incident. nullable: true type: string subcategory: description: The subcategory of the incident. nullable: true type: string urgency: description: The extent to which the incident resolution can be delayed. nullable: true type: string required: - category - impact - severity - subcategory - urgency id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow example: .servicenow type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow ITSM connector Cases_connector_properties_servicenow_sir: description: Defines properties for connectors when type is `.servicenow-sir`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs. nullable: true type: boolean malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs. nullable: true type: boolean priority: description: The priority of the issue. nullable: true type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs. nullable: true type: boolean subcategory: description: The subcategory of the incident. nullable: true type: string required: - category - destIp - malwareHash - malwareUrl - priority - sourceIp - subcategory id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow-sir example: .servicenow-sir type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow SecOps connector Cases_connector_properties_swimlane: description: Defines properties for connectors when type is `.swimlane`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: caseId: description: The case identifier for Swimlane connectors. nullable: true type: string required: - caseId id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .swimlane example: .swimlane type: string required: - fields - id - name - type title: Create case request properties for a Swimlane connector Cases_connector_types: description: The type of connector. enum: - .cases-webhook - .jira - .none - .resilient - .servicenow - .servicenow-sir - .swimlane example: .none type: string Cases_create_case_request: description: The create case API request body varies depending on the type of connector. properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' required: - connector - description - owner - settings - tags - title title: Create case request type: object Cases_event_comment_response_properties: title: Case response properties for event comments type: object properties: created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' eventId: items: example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f type: string type: array id: example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string index: items: example: .internal.alerts-security.alerts-default-000001 type: string type: array owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - event example: event type: string updated_at: example: null format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzIwNDMxLDFd type: string required: - type Cases_external_service: nullable: true type: object properties: connector_id: type: string connector_name: type: string external_id: type: string external_title: type: string external_url: type: string pushed_at: format: date-time type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string Cases_find_comments_response: title: Find case comments response type: object properties: comments: description: Paginated list of user comments for the case. items: $ref: '#/components/schemas/Cases_user_comment_response_properties' type: array page: description: The current page index. type: integer per_page: description: The number of items per page. type: integer total: description: The total number of comments. type: integer required: - comments - page - per_page - total Cases_owner: description: | The application that owns the cases: Stack Management, Observability, or Elastic Security. enum: - cases - observability - securitySolution example: cases type: string Cases_owners: items: $ref: '#/components/schemas/Cases_owner' type: array Cases_payload_alert_comment: type: object properties: comment: type: object properties: alertId: oneOf: - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d type: string - items: type: string type: array index: oneOf: - example: .alerts-observability.logs.alerts-default type: string - items: type: string type: array owner: $ref: '#/components/schemas/Cases_owner' rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 nullable: true type: string name: description: The rule name. example: security_rule nullable: true type: string type: enum: - alert type: string Cases_payload_assignees: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' Cases_payload_connector: type: object properties: connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' Cases_payload_create_case: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' description: type: string owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: example: - tag-1 items: type: string type: array title: type: string Cases_payload_delete: description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. nullable: true type: object Cases_payload_description: type: object properties: description: type: string Cases_payload_pushed: type: object properties: externalService: $ref: '#/components/schemas/Cases_external_service' Cases_payload_settings: type: object properties: settings: $ref: '#/components/schemas/Cases_settings' Cases_payload_severity: type: object properties: severity: $ref: '#/components/schemas/Cases_case_severity' Cases_payload_status: type: object properties: status: $ref: '#/components/schemas/Cases_case_status' Cases_payload_tags: type: object properties: tags: example: - tag-1 items: type: string type: array Cases_payload_title: type: object properties: title: type: string Cases_payload_user_comment: type: object properties: comment: type: object properties: comment: type: string owner: $ref: '#/components/schemas/Cases_owner' type: enum: - user type: string Cases_related_case: description: | Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response. properties: createdAt: description: When the case was created. format: date-time type: string description: description: The case description. type: string id: description: The case identifier. type: string status: $ref: '#/components/schemas/Cases_case_status' title: description: The case title. type: string totals: $ref: '#/components/schemas/Cases_attachment_totals' required: - id - title - description - status - createdAt - totals title: Related case type: object Cases_response_4xx: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful cases API response type: object Cases_rule: description: | The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. title: Alerting rule type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string x-state: Technical preview Cases_searchFieldsType: description: The fields to perform the `simple_query_string` parsed query against. enum: - description - title type: string Cases_searchFieldsTypeArray: items: $ref: '#/components/schemas/Cases_searchFieldsType' type: array Cases_set_case_configuration_request: description: External connection details, such as the closure type and default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type maxItems: 10 minItems: 0 type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' required: - closure_type - connector - owner title: Set case configuration request type: object Cases_settings: description: An object that contains the case settings. type: object properties: extractObservables: description: | When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted. example: false type: boolean syncAlerts: description: Turns alert syncing on or off. example: true type: boolean required: - syncAlerts Cases_string: type: string Cases_string_array: items: $ref: '#/components/schemas/Cases_string' maxItems: 100 type: array Cases_template_tags: description: | The words and phrases that help categorize templates. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_templates: items: type: object properties: caseFields: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' customFields: description: Custom field values in the template. items: type: object properties: key: description: The unique key for the custom field. type: string type: description: The type of the custom field. enum: - text - toggle type: string value: description: | The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean type: array x-state: Technical preview description: $ref: '#/components/schemas/Cases_case_description' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' description: description: A description for the template. type: string key: description: | A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. type: string name: description: The name of the template. type: string tags: $ref: '#/components/schemas/Cases_template_tags' type: array x-state: Technical preview Cases_update_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - alertId - id - index - owner - rule - type - version title: Update case comment request properties for alerts Cases_update_case_comment_request: description: The update case comment API request body varies depending on whether you are updating an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_update_alert_comment_request_properties' user: '#/components/schemas/Cases_update_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' title: Update case comment request Cases_update_case_configuration_request: description: | You can update settings such as the closure type, custom fields, templates, and the default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type type: array templates: $ref: '#/components/schemas/Cases_templates' version: description: | The version of the connector. To retrieve the version value, use the get configuration API. example: WzIwMiwxXQ== type: string required: - version title: Update case configuration request type: object Cases_update_case_request: description: The update case API request body varies depending on the type of connector. properties: cases: description: An array containing one or more case objects. items: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' closeReason: $ref: '#/components/schemas/Cases_case_close_sync_reason' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' id: description: The identifier for the case. maxLength: 30000 type: string settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' version: description: | The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs. type: string required: - id - version maxItems: 100 minItems: 1 type: array required: - cases title: Update case request type: object Cases_update_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - comment - id - owner - type - version title: Update case comment request properties for user comments type: object Cases_user_actions_find_response_properties: type: object properties: action: $ref: '#/components/schemas/Cases_actions' comment_id: example: 578608d0-03b1-11ed-920c-974bfa104448 nullable: true type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 22fd3e30-03b1-11ed-920c-974bfa104448 type: string owner: $ref: '#/components/schemas/Cases_owner' payload: oneOf: - $ref: '#/components/schemas/Cases_payload_alert_comment' - $ref: '#/components/schemas/Cases_payload_assignees' - $ref: '#/components/schemas/Cases_payload_connector' - $ref: '#/components/schemas/Cases_payload_create_case' - $ref: '#/components/schemas/Cases_payload_delete' - $ref: '#/components/schemas/Cases_payload_description' - $ref: '#/components/schemas/Cases_payload_pushed' - $ref: '#/components/schemas/Cases_payload_settings' - $ref: '#/components/schemas/Cases_payload_severity' - $ref: '#/components/schemas/Cases_payload_status' - $ref: '#/components/schemas/Cases_payload_tags' - $ref: '#/components/schemas/Cases_payload_title' - $ref: '#/components/schemas/Cases_payload_user_comment' type: description: The type of action. enum: - assignees - category - comment - connector - create_case - customFields - delete_case - description - extended_fields - observables - pushed - settings - severity - status - tags - title example: create_case type: string version: example: WzM1ODg4LDFd type: string required: - action - comment_id - created_at - created_by - id - owner - payload - type - version Cases_user_comment_response_properties: title: Case response properties for user comments type: object properties: comment: example: A new comment. type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' id: example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - user example: user type: string updated_at: example: null format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzIwNDMxLDFd type: string required: - type Data_views_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: type: string statusCode: example: 400 type: number required: - statusCode - error - message Data_views_404_response: type: object properties: error: enum: - Not Found example: Not Found type: string message: example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found type: string statusCode: enum: - 404 example: 404 type: integer Data_views_allownoindex: description: Allows the data view saved object to exist before the data is available. Defaults to `false`. type: boolean Data_views_create_data_view_request_object: title: Create data view request type: object properties: data_view: description: The data view object. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' version: type: string required: - title override: default: false description: Override an existing data view if a data view with the provided title already exists. type: boolean required: - data_view Data_views_data_view_response_object: title: Data view response properties type: object properties: data_view: type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' typeMeta: $ref: '#/components/schemas/Data_views_typemeta_response' version: example: WzQ2LDJd type: string Data_views_fieldattrs: description: A map of field attributes by field name. type: object properties: count: description: Popularity count for the field. type: integer customDescription: description: Custom description for the field. maxLength: 300 type: string customLabel: description: Custom label for the field. type: string Data_views_fieldformats: description: A map of field formats by field name. type: object Data_views_namespaces: description: An array of space identifiers for sharing the data view between multiple spaces. items: default: default type: string type: array Data_views_runtimefieldmap: description: A map of runtime field definitions by field name. type: object properties: script: type: object properties: source: description: Script for the runtime field. type: string type: description: Mapping type of the runtime field. type: string required: - script - type Data_views_sourcefilters: description: The array of field names you want to filter out in Discover. items: type: object properties: value: type: string required: - value type: array Data_views_swap_data_view_request_object: title: Data view reference swap request type: object properties: delete: description: Deletes referenced saved object if all references are removed. type: boolean forId: description: Limit the affected saved objects to one or more by identifier. oneOf: - type: string - items: type: string type: array forType: description: Limit the affected saved objects by type. type: string fromId: description: The saved object reference to change. type: string fromType: description: | Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. type: string toId: description: New saved object reference value to replace the old value. type: string required: - fromId - toId Data_views_timefieldname: description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). type: string Data_views_type: description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object required: - aggs - params Data_views_typemeta_response: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. nullable: true type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object Data_views_update_data_view_request_object: title: Update data view request type: object properties: data_view: description: | The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object name: type: string runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' refresh_fields: default: false description: Reloads the data view fields after the data view is updated. type: boolean required: - data_view Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. properties: anomalyDetectorTypes: description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. items: enum: - txLatency - txThroughput - txFailureRate type: string minItems: 1 type: array anomalySeverityType: description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' enum: - critical - major - minor - warning type: string environment: description: The environment from APM. type: string serviceName: description: The service name from APM. type: string transactionType: description: The transaction type from APM. type: string windowSize: description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window: minutes, hours, or days.' type: string required: - windowSize - windowUnit - environment - anomalySeverityType title: APM Anomaly Rule Params type: object rule_type_id: enum: - apm.anomaly type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: APM anomaly type: object Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. properties: environment: description: Filter the errors coming from your application to apply the rule to a specific environment. type: string errorGroupingKey: description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. type: string groupBy: items: description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: {} type: object required: - query - language required: - query serviceName: description: Filter the errors coming from your application to apply the rule to a specific service. type: string threshold: description: The number of errors, which is the threshold for alerts. type: number useKqlFilter: description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. type: boolean windowSize: description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window: minutes, hours, or days.' type: string required: - windowSize - windowUnit - threshold - environment title: Error Count Rule Params type: object rule_type_id: enum: - apm.error_rate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Error rate type: object Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. properties: aggregationType: description: The type of aggregation to perform. enum: - avg - 95th - 99th type: string environment: description: Filter the rule to apply to a specific environment. type: string groupBy: items: description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: {} type: object required: - query - language required: - query serviceName: description: Filter the rule to apply to a specific service. type: string threshold: description: The latency threshold value. type: number transactionName: description: Filter the rule to apply to a specific transaction name. type: string transactionType: description: Filter the rule to apply to a specific transaction type. type: string useKqlFilter: description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. type: boolean windowSize: description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window. For example: minutes, hours, or days.' type: string required: - windowSize - windowUnit - threshold - aggregationType - environment title: Transaction Duration Rule Params type: object rule_type_id: enum: - apm.transaction_duration type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transaction duration type: object Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. properties: environment: type: string groupBy: items: type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: {} type: object required: - query - language required: - query serviceName: type: string threshold: type: number transactionName: type: string transactionType: type: string useKqlFilter: type: boolean windowSize: type: number windowUnit: type: string required: - windowSize - windowUnit - threshold - environment title: Transaction Error Rate Rule Params type: object rule_type_id: enum: - apm.transaction_error_rate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transaction error rate type: object Kibana_HTTP_APIs_autoColor: additionalProperties: false description: Coloring determined at runtime based on chart defaults properties: type: enum: - auto type: string required: - type title: Auto Color type: object Kibana_HTTP_APIs_byteFormat: additionalProperties: false description: Data size format in bits or bytes, with optional decimal places and suffix. properties: decimals: default: 2 description: Number of decimal places to display. type: number suffix: description: Suffix appended to the formatted value. type: string type: description: 'Data size unit: `bits` or `bytes`.' enum: - bits - bytes type: string required: - type title: Byte Format type: object Kibana_HTTP_APIs_categoricalColorMapping: additionalProperties: false description: Palette color assignment for specific categorical values. Unmapped values receive the unassigned color. properties: mapping: items: additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' values: items: anyOf: - type: string - type: number - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' maxItems: 1000 type: array required: - values - color maxItems: 1000 type: array mode: enum: - categorical type: string palette: description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' type: string unassigned: $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' required: - mode - palette - mapping - unassigned title: Categorical Color Mapping type: object Kibana_HTTP_APIs_ClassicFieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' type: object Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - anyOf: - additionalProperties: false type: object properties: description: type: string format: description: A non-empty string. minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip - geo_point - integer - short - byte - float - half_float - text - wildcard - version - unsigned_long - date_nanos type: string required: - type - additionalProperties: false type: object properties: description: type: string type: enum: - system type: string required: - type Kibana_HTTP_APIs_ClassicStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string ingest: additionalProperties: false type: object properties: classic: additionalProperties: false type: object properties: field_overrides: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value required: - lifecycle - processing - settings - failure_store - classic query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - classic type: string required: - description - ingest - type required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_collapseBy: description: Aggregation function used to collapse a breakdown dimension into a single value. enum: - avg - sum - max - min title: collapseBy type: string x-oas-optional: true Kibana_HTTP_APIs_color_code: additionalProperties: false description: A color specified as a hex or CSS color code string. properties: type: enum: - color_code type: string value: description: The static color value to use. type: string required: - type - value title: Color Code type: object Kibana_HTTP_APIs_colorByValue: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValuePercentage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValue' description: Dynamic color mapping by numeric range, with support for absolute and percentage-based ranges. title: Color By Value Kibana_HTTP_APIs_colorByValueAbsolute: additionalProperties: false description: Color by absolute value configuration properties: range: enum: - absolute type: string steps: description: Array of ordered color steps defining the range each color is applied. items: additionalProperties: false type: object properties: color: description: The color to use for this step. type: string gte: description: The lower bound of range from which this color applies (inclusive). nullable: true type: number lt: description: The upper bound of range to which this color applies (exclusive). nullable: true type: number lte: description: The upper bound of range to which this color applies (inclusive). nullable: true type: number required: - color maxItems: 100 minItems: 1 type: array type: enum: - dynamic type: string required: - type - range - steps title: Color By Value (Absolute) type: object Kibana_HTTP_APIs_colorByValuePercentage: additionalProperties: false description: Color by percentage value configuration properties: range: enum: - percentage type: string steps: description: Array of ordered color steps defining the range each color is applied. items: additionalProperties: false type: object properties: color: description: The color to use for this step. type: string gte: description: The lower bound of range from which this color applies (inclusive). nullable: true type: number lt: description: The upper bound of range to which this color applies (exclusive). nullable: true type: number lte: description: The upper bound of range to which this color applies (inclusive). nullable: true type: number required: - color maxItems: 100 minItems: 1 type: array type: enum: - dynamic type: string required: - type - range - steps title: Color By Value (Percentage) type: object Kibana_HTTP_APIs_colorFromPalette: additionalProperties: false description: Color at a fixed index position in a named palette. properties: index: description: The index of the color in the palette. type: number palette: description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' type: string type: enum: - from_palette type: string required: - type - index title: Color From Palette type: object Kibana_HTTP_APIs_colorMapping: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_categoricalColorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gradientColorMapping' description: Color mapping for dimension values, either categorical (for specific values) or as a gradient. title: Color Mapping x-oas-optional: true Kibana_HTTP_APIs_Condition: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' - additionalProperties: false description: A logical AND that groups multiple conditions. type: object properties: and: description: An array of conditions. All sub-conditions must be true for this condition to be true. items: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' type: array required: - and - additionalProperties: false description: A logical OR that groups multiple conditions. type: object properties: or: description: An array of conditions. At least one sub-condition must be true for this condition to be true. items: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' type: array required: - or - additionalProperties: false description: A logical NOT that negates a condition. type: object properties: not: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: A condition that negates another condition. required: - not - additionalProperties: false description: A condition that always evaluates to false. type: object properties: never: additionalProperties: false description: An empty object. This condition never matches. type: object properties: {} required: - never - additionalProperties: false description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. type: object properties: always: additionalProperties: false description: An empty object. This condition always matches. type: object properties: {} required: - always description: The root condition object. It can be a simple filter or a combination of other conditions. Kibana_HTTP_APIs_ConditionWithSteps: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array required: - steps Kibana_HTTP_APIs_ContentPackIncludedObjects: anyOf: - additionalProperties: false type: object properties: objects: additionalProperties: false type: object properties: all: additionalProperties: false type: object properties: {} required: - all required: - objects - additionalProperties: false type: object properties: objects: additionalProperties: false type: object properties: mappings: type: boolean queries: items: type: object properties: id: type: string required: - id type: array routing: items: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - type: object properties: destination: type: string required: - destination type: array required: - mappings - queries - routing required: - objects Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. properties: status: additionalProperties: false type: object properties: overall: additionalProperties: false type: object properties: level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string required: - level required: - overall required: - status title: core_status_redactedResponse type: object Kibana_HTTP_APIs_core_status_response: additionalProperties: false description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. properties: metrics: additionalProperties: false description: Metric groups collected by Kibana. type: object properties: collection_interval_in_millis: description: The interval at which metrics should be collected. type: number elasticsearch_client: additionalProperties: false description: Current network metrics of Kibana's Elasticsearch client. type: object properties: totalActiveSockets: description: Count of network sockets currently in use. type: number totalIdleSockets: description: Count of network sockets currently idle. type: number totalQueuedRequests: description: Count of requests not yet assigned to sockets. type: number required: - totalActiveSockets - totalIdleSockets - totalQueuedRequests last_updated: description: The time metrics were collected. type: string required: - elasticsearch_client - last_updated - collection_interval_in_millis name: description: Kibana instance name. type: string status: additionalProperties: false type: object properties: core: additionalProperties: false description: Statuses of core Kibana services. type: object properties: elasticsearch: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta http: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta savedObjects: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta required: - elasticsearch - savedObjects overall: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta plugins: additionalProperties: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta description: A dynamic mapping of plugin ID to plugin status. type: object required: - overall - core - plugins uuid: description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. type: string version: additionalProperties: false type: object properties: build_date: description: The date and time of this build. type: string build_flavor: description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. enum: - serverless - traditional type: string build_hash: description: A unique hash value representing the git commit of this Kibana build. type: string build_number: description: A monotonically increasing number, each subsequent build will have a higher number. type: number build_snapshot: description: Whether this build is a snapshot build. type: boolean number: description: A semantic version number. type: string required: - number - build_hash - build_number - build_snapshot - build_flavor - build_date required: - name - uuid - version - status - metrics title: core_status_response type: object Kibana_HTTP_APIs_counterRateOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_countMetricOperation: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_cumulativeSumOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_customFormat: additionalProperties: false description: Custom format using a Kibana field format pattern string. properties: pattern: description: Kibana field format pattern string. type: string type: enum: - custom type: string required: - type - pattern title: Custom Format type: object Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. properties: comparator: type: string groupBy: items: type: string type: array searchConfiguration: additionalProperties: false type: object properties: index: type: string required: - index threshold: items: type: number type: array timeSize: type: number timeUnit: type: string required: - timeUnit - timeSize - threshold - comparator - searchConfiguration title: Degraded Docs Rule Params type: object rule_type_id: enum: - datasetQuality.degradedDocs type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Degraded docs type: object Kibana_HTTP_APIs_datatableDensity: additionalProperties: false description: Density configuration for the datatable. properties: height: additionalProperties: false type: object properties: header: anyOf: - additionalProperties: false type: object properties: type: enum: - auto type: string required: - type - additionalProperties: false type: object properties: max_lines: default: 3 maximum: 5 minimum: 1 type: number type: enum: - custom type: string required: - type description: Number of lines before the header is truncated. value: anyOf: - additionalProperties: false type: object properties: type: enum: - auto type: string required: - type - additionalProperties: false type: object properties: lines: default: 1 maximum: 20 minimum: 1 type: number type: enum: - custom type: string required: - type description: Number of lines to display per table body cell. mode: description: Display density mode. enum: - compact - default - expanded type: string title: datatableDensity type: object x-oas-optional: true Kibana_HTTP_APIs_datatableESQL: additionalProperties: false description: Datatable state configuration for ES|QL queries properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metrics: description: Array of metrics to display as columns in the datatable items: $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQLMetric' maxItems: 1000 minItems: 1 type: array references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array rows: description: Array of operations to split the datatable rows by items: additionalProperties: false type: object properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for ESQL datatable rows. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - column - format - collapse_by maxItems: 50 minItems: 1 type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number split_metrics_by: description: Array of operations to split the metric columns by items: additionalProperties: false type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format maxItems: 20 minItems: 1 type: array styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - data_table type: string required: - type - filters - data_source - styling - time_range title: Datatable (ES|QL) type: object Kibana_HTTP_APIs_datatableESQLMetric: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - column - format title: Datatable Metric (ES|QL) type: object Kibana_HTTP_APIs_datatableMetricCounterRate: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_datatableMetricCountMetric: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_datatableMetricCumulativeSum: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_datatableMetricDifferences: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_datatableMetricFormula: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: description: Time scale enum: - s - m - h - d type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_datatableMetricLastValue: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_datatableMetricMovingAverage: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_datatableMetricPercentile: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_datatableMetricPercentileRanks: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_datatableMetricStatsMetric: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_datatableMetricSumMetric: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_datatableMetricUniqueCountMetric: additionalProperties: false properties: alignment: description: Alignment of the columns. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string summary: additionalProperties: false description: Summary row configuration type: object properties: label: description: Summary row label. type: string type: description: Type of summary function to apply to the column. enum: - sum - avg - count - min - max type: string required: - type time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_datatableNoESQL: additionalProperties: false description: Datatable state configuration for standard queries properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metrics: description: Array of metrics to display as columns in the datatable items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricFormula' maxItems: 1000 minItems: 1 type: array query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array rows: description: Array of operations to split the datatable rows by items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowFilters' maxItems: 50 minItems: 1 type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number split_metrics_by: description: Array of operations to split the metric columns by items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. title: Breakdown Operation maxItems: 20 minItems: 1 type: array styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - data_table type: string required: - type - filters - query - data_source - styling - metrics - time_range title: Datatable (DSL) type: object Kibana_HTTP_APIs_datatableRowDateHistogram: additionalProperties: false properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - operation - field - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_datatableRowFilters: additionalProperties: false properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - operation - filters - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_datatableRowHistogram: additionalProperties: false properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - operation - format - field - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_datatableRowRanges: additionalProperties: false properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - operation - format - field - ranges - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_datatableRowTerms: additionalProperties: false properties: alignment: description: Alignment of the rows. enum: - left - center - right type: string apply_color_to: description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' enum: - value - background - badge type: string click_filter: description: When `true`, enables one-click filtering on cell values. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' visible: description: When `false`, hides the column from the datatable. type: boolean width: description: Column width in pixels. minimum: 0 type: number required: - operation - format - fields - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_datatableStyling: additionalProperties: false description: Visual chart styling options properties: density: $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableDensity' paging: description: Rows per page. When set, pagination is enabled with the specified number of rows. enum: - 10 - 20 - 30 - 50 - 100 type: integer row_numbers: additionalProperties: false description: Configuration for row numbers type: object properties: visible: description: When `true`, displays row numbers. type: boolean required: - visible sort_by: anyOf: - additionalProperties: false description: Sort by a metric or row column type: object properties: column_type: description: Type of column to sort by. enum: - metric - row type: string direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' index: description: Index of the column or row to sort by (0-based). minimum: 0 type: number required: - column_type - index - direction - additionalProperties: false description: Sort by a pivoted metric column (created when metrics are pivoted by split_metrics_by) type: object properties: column_type: enum: - pivoted_metric type: string direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' index: description: 0-based index into the "metrics" array for the metric to sort; use "values" to identify the pivoted column minimum: 0 type: number values: description: Array of pivot values, one for each split_metrics_by column in order items: type: string maxItems: 20 minItems: 1 type: array required: - column_type - index - values - direction description: Sorting configuration. Only one column can be sorted at a time. Use "column_type" to specify the column type. required: - density title: Datatable styling type: object x-oas-optional: true Kibana_HTTP_APIs_dateHistogramOperation: additionalProperties: false properties: drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field title: Date Histogram Operation type: object Kibana_HTTP_APIs_differencesOperation: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_durationFormat: additionalProperties: false description: Duration format between time units. properties: from: description: Source time unit for conversion, for example `milliseconds`, `seconds`, `minutes`, `hours`, or `days`. type: string suffix: description: Suffix appended to the formatted value. type: string to: description: Display time unit after conversion, for example `seconds`, `minutes`, `hours`, or `days`. type: string type: enum: - duration type: string required: - type - from - to title: Duration Format type: object Kibana_HTTP_APIs_es-query-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. properties: aggField: description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. minLength: 1 type: string aggType: default: count description: The type of aggregation to perform. type: string esqlQuery: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The query definition in Elasticsearch Query Language. nullable: true oneOf: - additionalProperties: false type: object properties: esql: minLength: 1 type: string required: - esql - not: {} esQuery: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - minLength: 1 type: string - not: {} excludeHitsFromPreviousRun: default: true description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. type: boolean groupBy: default: all description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. type: string index: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The indices to query. nullable: true oneOf: - items: minLength: 1 type: string minItems: 1 type: array - not: {} searchConfiguration: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. nullable: true oneOf: - additionalProperties: true type: object properties: {} - not: {} searchType: default: esQuery description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' enum: - searchSource - esQuery - esqlQuery type: string size: description: The number of documents to pass to the configured actions when the threshold condition is met. maximum: 10000 minimum: 0 type: number sourceFields: description: The sourceFields param is ignored. items: additionalProperties: false type: object properties: label: type: string searchPath: type: string required: - label - searchPath maxItems: 5 type: array termField: anyOf: - minLength: 1 type: string - items: type: string maxItems: 4 minItems: 2 type: array description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. termSize: description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. minimum: 1 type: number threshold: items: description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. type: number maxItems: 2 minItems: 1 type: array thresholdComparator: description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' enum: - '>' - < - '>=' - <= - between - notBetween type: string timeField: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The field that is used to calculate the time window. nullable: true oneOf: - minLength: 1 type: string - minLength: 1 type: string x-oas-optional: true timeWindowSize: description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. minimum: 1 type: number timeWindowUnit: description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' type: string required: - size - timeWindowSize - timeWindowUnit - threshold - thresholdComparator - timeField - searchConfiguration - esQuery - index - esqlQuery title: ES Query Rule Params type: object rule_type_id: enum: - .es-query type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: ES query type: object Kibana_HTTP_APIs_esqlDataSource: additionalProperties: false description: Uses an ES|QL query as the data source. The query is executed at render time; resulting columns are available as fields. properties: query: description: 'An ES|QL query that drives the data source. The query must produce a tabular result set; column names are used as field references. Example: "FROM logs-* | STATS count = COUNT(*) BY host.name".' type: string type: enum: - esql type: string required: - type - query title: ES|QL Data Source type: object Kibana_HTTP_APIs_FailureStore: anyOf: - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit - additionalProperties: false type: object properties: disabled: additionalProperties: false type: object properties: {} required: - disabled - additionalProperties: false type: object properties: lifecycle: additionalProperties: false type: object properties: enabled: additionalProperties: false type: object properties: data_retention: description: A non-empty string. minLength: 1 type: string required: - enabled required: - lifecycle - additionalProperties: false type: object properties: lifecycle: additionalProperties: false type: object properties: disabled: additionalProperties: false type: object properties: {} required: - disabled required: - lifecycle Kibana_HTTP_APIs_FieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' type: object Kibana_HTTP_APIs_FieldDefinitionConfig: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - anyOf: - additionalProperties: false type: object properties: description: type: string format: description: A non-empty string. minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip - geo_point - integer - short - byte - float - half_float - text - wildcard - version - unsigned_long - date_nanos type: string required: - type - additionalProperties: false type: object properties: description: type: string format: not: {} type: not: {} required: - description - additionalProperties: false type: object properties: description: type: string type: enum: - system type: string required: - type Kibana_HTTP_APIs_fieldMetricOperations: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_sumMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' title: Field Metric Operations Kibana_HTTP_APIs_FilterCondition: anyOf: - additionalProperties: false description: A condition that compares a field to a value or range using an operator as the key. type: object properties: contains: anyOf: - type: string - type: number - type: boolean description: Contains comparison value. endsWith: anyOf: - type: string - type: number - type: boolean description: Ends-with comparison value. eq: anyOf: - type: string - type: number - type: boolean description: Equality comparison value. field: description: The document field to filter on. minLength: 1 type: string gt: anyOf: - type: string - type: number - type: boolean description: Greater-than comparison value. gte: anyOf: - type: string - type: number - type: boolean description: Greater-than-or-equal comparison value. includes: anyOf: - type: string - type: number - type: boolean description: Checks if multivalue field includes the value. lt: anyOf: - type: string - type: number - type: boolean description: Less-than comparison value. lte: anyOf: - type: string - type: number - type: boolean description: Less-than-or-equal comparison value. neq: anyOf: - type: string - type: number - type: boolean description: Inequality comparison value. range: additionalProperties: false description: Range comparison values. type: object properties: gt: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. gte: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. lt: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. lte: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. startsWith: anyOf: - type: string - type: number - type: boolean description: Starts-with comparison value. required: - field - additionalProperties: false description: A condition that checks for the existence or non-existence of a field. type: object properties: exists: description: Indicates whether the field exists or not. type: boolean field: description: The document field to check. minLength: 1 type: string required: - field description: A basic filter condition, either unary or binary. Kibana_HTTP_APIs_filterSimple: additionalProperties: false description: A KQL or Lucene query that filters panel data. Applied on top of any dashboard-level filters. properties: expression: description: A query expression in KQL or Lucene syntax type: string language: default: kql description: 'Query language: `kql` (Kibana Query Language) or `lucene`. Defaults to `kql`.' enum: - kql - lucene type: string required: - expression title: Filter type: object Kibana_HTTP_APIs_filtersOperation: additionalProperties: false properties: filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters title: Filters Operation type: object Kibana_HTTP_APIs_filterWithLabel: additionalProperties: false description: A KQL or Lucene filter with an optional display label. properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' label: description: Label for the filter type: string required: - filter title: Filter with Label type: object Kibana_HTTP_APIs_formatType: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_numericFormat' - $ref: '#/components/schemas/Kibana_HTTP_APIs_byteFormat' - $ref: '#/components/schemas/Kibana_HTTP_APIs_durationFormat' - $ref: '#/components/schemas/Kibana_HTTP_APIs_customFormat' description: Number display format for the dimension value. title: Format Type x-oas-optional: true Kibana_HTTP_APIs_formulaOperation: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_gaugeESQL: additionalProperties: false description: Gauge configuration using an ES|QL query. properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: additionalProperties: false type: object properties: column: description: Column to use type: string label: description: Label for the operation type: string required: - column label: description: Label for the operation type: string max: additionalProperties: false type: object properties: column: description: Column to use type: string label: description: Label for the operation type: string required: - column min: additionalProperties: false type: object properties: column: description: Column to use type: string label: description: Label for the operation type: string required: - column subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - column - format references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - gauge type: string required: - type - filters - data_source - styling - metric - time_range title: Gauge Chart (ES|QL) type: object Kibana_HTTP_APIs_gaugeMetricCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_gaugeMetricFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: description: Time scale enum: - s - m - h - d type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_gaugeMetricLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_gaugeMetricPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_gaugeMetricPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_gaugeMetricStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_gaugeMetricSumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' goal: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation label: description: Label for the operation type: string max: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation min: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. title: Field Metric, Static Value, or Formula Operation operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the gauge value. type: string ticks: additionalProperties: false description: Ticks configuration type: object properties: mode: description: Tick placement mode. enum: - auto - bands type: string visible: description: When `true`, displays tick marks on the gauge. type: boolean time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string title: additionalProperties: false description: Title configuration type: object properties: text: description: Title text. type: string visible: description: When `true`, displays the title. type: boolean required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_gaugeNoESQL: additionalProperties: false description: Gauge configuration using a data view. properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - gauge type: string required: - type - filters - query - data_source - styling - metric - time_range title: Gauge Chart (DSL) type: object Kibana_HTTP_APIs_gaugeShapeBullet: additionalProperties: false description: Bullet gauge shape. properties: orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' type: enum: - bullet type: string required: - type - orientation title: Shape (Bullet) type: object Kibana_HTTP_APIs_gaugeShapeCircular: additionalProperties: false description: Circular gauge shape. properties: type: enum: - circle - semi_circle - arc type: string required: - type title: Shape (Circular) type: object Kibana_HTTP_APIs_gaugeStyling: additionalProperties: false description: Visual chart styling options properties: shape: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' title: Gauge styling type: object x-oas-optional: true Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. properties: boundaryGeoField: minLength: 1 type: string boundaryIndexId: minLength: 1 type: string boundaryIndexQuery: {} boundaryIndexTitle: minLength: 1 type: string boundaryNameField: minLength: 1 type: string boundaryType: minLength: 1 type: string dateField: minLength: 1 type: string entity: minLength: 1 type: string geoField: minLength: 1 type: string index: minLength: 1 type: string indexId: minLength: 1 type: string indexQuery: {} required: - index - indexId - geoField - entity - dateField - boundaryType - boundaryIndexTitle - boundaryIndexId - boundaryGeoField - indexQuery - boundaryIndexQuery title: Geo Containment Rule Params type: object rule_type_id: enum: - .geo-containment type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Geo containment type: object Kibana_HTTP_APIs_gradientColorMapping: additionalProperties: false description: Gradient color mapping across categorical values. properties: gradient: items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' maxItems: 3 type: array mapping: items: additionalProperties: false type: object properties: values: items: anyOf: - type: string - type: number - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' maxItems: 100 type: array required: - values maxItems: 100 type: array mode: enum: - gradient type: string palette: description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' type: string sort: description: Sort direction enum: - asc - desc type: string unassigned: $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' required: - mode - palette - unassigned title: Gradient Color Mapping type: object Kibana_HTTP_APIs_heatmapAxes: additionalProperties: false description: Axis configuration for X and Y axes properties: x: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapXAxis' 'y': $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapYAxis' required: - x - 'y' title: Axes type: object x-oas-optional: true Kibana_HTTP_APIs_heatmapCells: additionalProperties: false description: Cells configuration properties: labels: additionalProperties: false type: object properties: visible: description: Show cell labels type: boolean title: Cells type: object x-oas-optional: true Kibana_HTTP_APIs_heatmapESQL: additionalProperties: false description: Heatmap configuration using an ES|QL query. properties: axis: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' metric: additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - heatmap type: string x: additionalProperties: false type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format 'y': additionalProperties: false type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format required: - type - legend - filters - axis - x - data_source - styling - metric - time_range title: Heatmap Chart (ES|QL) type: object Kibana_HTTP_APIs_heatmapLegend: additionalProperties: false description: Legend configuration properties: position: enum: - top - bottom - left - right type: string size: $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' truncate_after_lines: description: Number of lines before legend items are truncated. maximum: 10 minimum: 1 title: legendTruncateAfterLines type: number visibility: description: Legend visibility. enum: - visible - hidden type: string required: - size title: Legend type: object x-oas-optional: true Kibana_HTTP_APIs_heatmapMetricCounterRate: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_heatmapMetricCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_heatmapMetricCumulativeSum: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_heatmapMetricDifferences: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_heatmapMetricFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_heatmapMetricLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_heatmapMetricMovingAverage: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_heatmapMetricPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_heatmapMetricPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_heatmapMetricStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_heatmapMetricSumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color scale configuration for the heatmap cells. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_heatmapNoESQL: additionalProperties: false description: Heatmap configuration using a data view. properties: axis: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' metric: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricFormula' query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - heatmap type: string x: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. title: Breakdown Operation 'y': anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. title: Breakdown Operation required: - type - legend - filters - axis - x - query - data_source - styling - metric - time_range title: Heatmap Chart (DSL) type: object Kibana_HTTP_APIs_heatmapStyling: additionalProperties: false description: Visual chart styling options properties: cells: $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapCells' required: - cells title: Heatmap styling type: object x-oas-optional: true Kibana_HTTP_APIs_heatmapXAxis: additionalProperties: false description: X axis configuration properties: labels: additionalProperties: false type: object properties: orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' visible: description: Show axis labels type: boolean required: - orientation scale: description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. enum: - ordinal - temporal - linear type: string sort: description: Axis sort order; omit or use undefined for no sorting enum: - asc - desc type: string title: additionalProperties: false type: object properties: text: description: Axis title text. type: string visible: description: When `true`, displays the title. type: boolean required: - scale title: X Axis type: object x-oas-optional: true Kibana_HTTP_APIs_heatmapYAxis: additionalProperties: false description: Y axis configuration properties: labels: additionalProperties: false type: object properties: visible: description: Show axis labels type: boolean sort: description: Axis sort order; omit or use undefined for no sorting enum: - asc - desc type: string title: additionalProperties: false type: object properties: text: description: Axis title text. type: string visible: description: When `true`, displays the title. type: boolean title: Y Axis type: object x-oas-optional: true Kibana_HTTP_APIs_histogramOperation: additionalProperties: false properties: field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field title: Histogram Operation type: object Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. properties: aggField: description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. minLength: 1 type: string aggType: default: count description: The type of aggregation to perform. type: string filterKuery: description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. type: string groupBy: default: all description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. type: string index: anyOf: - minLength: 1 type: string - items: minLength: 1 type: string minItems: 1 type: array description: The indices to query. termField: description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. minLength: 1 type: string termSize: description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. minimum: 1 type: number threshold: items: type: number maxItems: 2 minItems: 1 type: array thresholdComparator: description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' enum: - '>' - < - '>=' - <= - between - notBetween type: string timeField: description: The field that is used to calculate the time window. minLength: 1 type: string timeWindowSize: description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. minimum: 1 type: number timeWindowUnit: description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' type: string required: - index - timeField - timeWindowSize - timeWindowUnit - thresholdComparator - threshold title: Index Threshold Rule Params type: object rule_type_id: enum: - .index-threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Index threshold type: object Kibana_HTTP_APIs_IngestStreamLifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: description: A non-empty string. minLength: 1 type: string downsample: items: type: object properties: after: description: A non-empty string. minLength: 1 type: string fixed_interval: description: A non-empty string. minLength: 1 type: string required: - after - fixed_interval type: array required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: description: A non-empty string. minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: additionalProperties: false description: A filter that evaluates a single field condition such as equality, range, or existence. properties: condition: description: A filter condition with strict operator/value type matching. discriminator: mapping: exists: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' is: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' is_one_of: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' range: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' propertyName: operator oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' controlled_by: description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. type: string data_view_id: description: Identifier of the data view used as context for this filter. type: string disabled: description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. type: boolean is_multi_index: description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. type: boolean label: description: Human-readable label for the filter, used for display purposes. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean type: enum: - condition type: string required: - type - condition title: condition type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema: additionalProperties: false description: A filter expressed as a raw [Elasticsearch Query DSL](https://www.elastic.co/docs/reference/query-languages/querydsl) object, used for queries that cannot be represented by condition or group filters. properties: controlled_by: description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. type: string data_view_id: description: Identifier of the data view used as context for this filter. type: string disabled: description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. type: boolean dsl: additionalProperties: {} description: Elasticsearch Query DSL object passed directly to the query. type: object field: description: Field name for scripted filters where the field cannot be extracted from the DSL query. type: string is_multi_index: description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. type: boolean label: description: Human-readable label for the filter, used for display purposes. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean params: {} type: enum: - dsl type: string required: - type - dsl - params title: dsl type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema: additionalProperties: false description: A filter that combines multiple conditions or nested groups using a logical `and` or `or` operator. properties: controlled_by: description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. type: string data_view_id: description: Identifier of the data view used as context for this filter. type: string disabled: description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. type: boolean group: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' is_multi_index: description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. type: boolean label: description: Human-readable label for the filter, used for display purposes. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean type: enum: - group type: string required: - type - group title: group type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema: additionalProperties: false description: A filter that applies an Elasticsearch geo query, used for geographic boundary and shape matching. properties: controlled_by: description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. type: string data_view_id: description: Identifier of the data view used as context for this filter. type: string disabled: description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. type: boolean dsl: additionalProperties: {} description: Elasticsearch geo query DSL object. type: object is_multi_index: description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. type: boolean label: description: Human-readable label for the filter, used for display purposes. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean type: enum: - spatial type: string required: - type - dsl title: spatial type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists: additionalProperties: false description: Matches documents where `field` exists and contains a non-null value. properties: field: description: Name of the document field the condition evaluates. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean operator: enum: - exists type: string required: - field - operator title: exists type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is: additionalProperties: false description: Matches documents where `field` equals a single specified value. properties: field: description: Name of the document field the condition evaluates. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean operator: enum: - is type: string value: anyOf: - title: value type: string - title: value type: number - title: value type: boolean description: Single value to compare against the field. required: - field - operator - value title: is type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of: additionalProperties: false description: Matches documents where `field` equals any value in a provided list. properties: field: description: Name of the document field the condition evaluates. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean operator: enum: - is_one_of type: string value: anyOf: - items: type: string maxItems: 10000 type: array - items: type: number maxItems: 10000 type: array - items: type: boolean maxItems: 10000 type: array description: Homogeneous array of values to match against the field. required: - field - operator - value title: is_one_of type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range: additionalProperties: false description: Matches documents where `field` falls within a specified numeric or date range. properties: field: description: Name of the document field the condition evaluates. type: string negate: description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. type: boolean operator: enum: - range type: string value: additionalProperties: false description: Boundary values for a range comparison. type: object properties: format: description: Elasticsearch [date format](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/mapping-date-format) string applied when parsing date boundary values. For example, `strict_date_optional_time` or `epoch_millis`. type: string gt: anyOf: - type: number - type: string description: Greater than. gte: anyOf: - type: number - type: string description: Greater than or equal to. lt: anyOf: - type: number - type: string description: Less than. lte: anyOf: - type: number - type: string description: Less than or equal to. required: - field - operator - value title: range type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter: additionalProperties: false description: Logical group that combines one or more conditions or nested groups. properties: conditions: description: Ordered list of conditions or nested groups combined by the group `operator`. items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' description: A filter condition with strict operator/value type matching. - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' type: array operator: description: Logical operator applied across all entries in `conditions`. Use `and` to require all conditions, or `or` to require at least one. enum: - and - or type: string required: - operator - conditions title: kbn-as-code-filters-schema_groupFilter type: object Kibana_HTTP_APIs_kbn-as-code-meta: additionalProperties: false properties: created_at: description: Timestamp when the object was created (ISO 8601). type: string created_by: description: User profile ID of the user who created the object. type: string managed: description: When `true`, the object is managed by Kibana and cannot be edited by users. type: boolean owner: description: Identifier of the plugin or team that owns this object. type: string updated_at: description: Timestamp when the object was last updated (ISO 8601). type: string updated_by: description: User profile ID of the user who last updated the object. type: string version: description: Internal version identifier for optimistic concurrency control. type: string title: kbn-as-code-meta type: object Kibana_HTTP_APIs_kbn-as-code-query: additionalProperties: false description: A search query consisting of an expression and its language. Supports KQL and Lucene syntax. properties: expression: description: A query expression in KQL or Lucene syntax. type: string language: description: Query language. Use `kql` for Kibana Query Language (KQL) or `lucene` for Lucene query syntax. enum: - kql - lucene type: string required: - expression - language title: Query type: object x-oas-optional: true Kibana_HTTP_APIs_kbn-composite-runtime-field-schema: additionalProperties: false properties: fields: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' type: object script: description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. minLength: 1 title: Script type: string type: enum: - composite type: string required: - type - fields title: Composite runtime field type: object Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema: additionalProperties: false properties: id: type: string name: type: string type: type: string required: - name - type - id title: kbn-content-management-utils-referenceSchema type: object Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control: additionalProperties: false description: An ES|QL variable control whose selected value is injected into ES|QL visualizations using the `?variable_name` syntax. Options can come from a fixed list or an ES|QL query. Define the options source in `config`. properties: config: discriminator: mapping: STATIC_VALUES: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' VALUES_FROM_QUERY: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' propertyName: control_type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' grow: default: false description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. type: boolean id: description: The unique ID of the control type: string type: enum: - esql_control type: string width: default: medium description: Minimum width of the control panel. enum: - small - medium - large type: string required: - type - config title: esql_control type: object Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control: additionalProperties: false description: A dropdown control that filters data by selecting field values from a data view. Define the data view, field, and selection settings in `config`. properties: config: additionalProperties: false type: object properties: data_view_id: description: The ID of the data view that provides field options for this control. minLength: 1 type: string display_settings: additionalProperties: false type: object properties: hide_action_bar: description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. type: boolean hide_exclude: description: When `true`, the exclude mode toggle is hidden from the control. type: boolean hide_exists: description: When `true`, the exists filter option is hidden from the control. type: boolean hide_sort: description: When `true`, the sort selector is hidden from the control. type: boolean placeholder: description: Placeholder text displayed in the control input when no option is selected. type: string exclude: default: false description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. type: boolean exists_selected: default: false description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. type: boolean field_name: description: The name of the field in the data view that this control filters on. minLength: 1 type: string ignore_validations: default: false description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. type: boolean run_past_timeout: default: false description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. type: boolean search_technique: default: wildcard description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. enum: - prefix - wildcard - exact type: string selected_options: default: [] description: The list of currently selected option values. items: anyOf: - type: string - type: number description: A selected option value. Accepts a string or a number. maxItems: 10000 type: array single_select: default: false description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. type: boolean sort: additionalProperties: false default: by: _count direction: desc description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' type: object properties: by: description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. enum: - _count - _key type: string direction: description: The sort direction. `asc` sorts ascending and `desc` sorts descending. enum: - asc - desc type: string required: - by - direction title: description: A human-readable title for the control. type: string use_global_filters: default: true description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. type: boolean required: - data_view_id - field_name grow: default: false description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. type: boolean id: description: The unique ID of the control type: string type: enum: - options_list_control type: string width: default: medium description: Minimum width of the control panel. enum: - small - medium - large type: string required: - type - config title: options_list_control type: object Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control: additionalProperties: false description: A slider control that filters data by selecting a numeric range for the configured field. Define the data view, field, and selection settings in `config`. properties: config: additionalProperties: false type: object properties: data_view_id: description: The ID of the data view that provides field options for this control. minLength: 1 type: string field_name: description: The name of the field in the data view that this control filters on. minLength: 1 type: string ignore_validations: default: false description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. type: boolean step: default: 1 description: The step size between selectable range values. minimum: 0 type: number title: description: A human-readable title for the control. type: string use_global_filters: default: true description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. type: boolean value: description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. items: type: string maxItems: 2 minItems: 2 type: array required: - data_view_id - field_name grow: default: false description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. type: boolean id: description: The unique ID of the control type: string type: enum: - range_slider_control type: string width: default: medium description: Minimum width of the control panel. enum: - small - medium - large type: string required: - type - config title: range_slider_control type: object Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control: additionalProperties: false description: A control panel that filters a time field to a selected sub-range of the global time range. Define the start and end positions in `config` as fractions of the global range (0 to 1). properties: config: additionalProperties: false type: object properties: end_percentage_of_time_range: default: 1 description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. maximum: 1 minimum: 0 type: number is_anchored: default: false description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. type: boolean start_percentage_of_time_range: default: 0 description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. maximum: 1 minimum: 0 type: number grow: default: false description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. type: boolean id: description: The unique ID of the control type: string type: enum: - time_slider_control type: string width: default: medium description: Minimum width of the control panel. enum: - small - medium - large type: string required: - type - config title: time_slider_control type: object Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values: additionalProperties: false description: An ES|QL variable control with a fixed list of selectable options defined directly in `available_options`. properties: available_options: description: A fixed list of option strings displayed in the control. items: type: string maxItems: 1000 type: array control_type: enum: - STATIC_VALUES type: string display_settings: additionalProperties: false type: object properties: hide_action_bar: description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. type: boolean hide_exclude: description: When `true`, the exclude mode toggle is hidden from the control. type: boolean hide_exists: description: When `true`, the exists filter option is hidden from the control. type: boolean hide_sort: description: When `true`, the sort selector is hidden from the control. type: boolean placeholder: description: Placeholder text displayed in the control input when no option is selected. type: string selected_options: description: The list of currently selected option values. items: type: string maxItems: 10000 type: array single_select: default: true description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. type: boolean title: description: A human-readable title for the control. type: string variable_name: description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. type: string variable_type: description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. enum: - fields - values - functions - time_literal - multi_values type: string required: - selected_options - variable_name - variable_type - control_type - available_options title: STATIC_VALUES type: object Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query: additionalProperties: false description: An ES|QL variable control whose selectable options are dynamically retrieved by running an ES|QL query. properties: control_type: enum: - VALUES_FROM_QUERY type: string display_settings: additionalProperties: false type: object properties: hide_action_bar: description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. type: boolean hide_exclude: description: When `true`, the exclude mode toggle is hidden from the control. type: boolean hide_exists: description: When `true`, the exists filter option is hidden from the control. type: boolean hide_sort: description: When `true`, the sort selector is hidden from the control. type: boolean placeholder: description: Placeholder text displayed in the control input when no option is selected. type: string esql_query: description: An ES|QL query whose results populate the list of available options in the control popover. type: string selected_options: description: The list of currently selected option values. items: type: string maxItems: 10000 type: array single_select: default: true description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. type: boolean title: description: A human-readable title for the control. type: string variable_name: description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. type: string variable_type: description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. enum: - fields - values - functions - time_literal - multi_values type: string required: - selected_options - variable_name - variable_type - control_type - esql_query title: VALUES_FROM_QUERY type: object Kibana_HTTP_APIs_kbn-dashboard-access-control: additionalProperties: false description: Access control settings for the dashboard. properties: access_mode: description: Controls edit access to the dashboard. Set to `write_restricted` to prevent edits by users without explicit write permission. Defaults to `default` (all viewers can edit). enum: - write_restricted - default type: string title: Access control type: object x-oas-optional: true Kibana_HTTP_APIs_kbn-dashboard-data: additionalProperties: false properties: access_control: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-access-control' description: description: A short description of the dashboard. type: string filters: description: Filters applied across all panels, including pinned panels. items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). maxItems: 500 type: array options: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-options' panels: default: [] description: Panels and sections in the dashboard. Each entry is either a panel (with a `type` and `config`) or a collapsible section (with a `title`, `collapsed` state, and nested `panels`). items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-section' maxItems: 100 type: array pinned_panels: default: [] description: An array of control panels and their state in the control group. items: discriminator: mapping: esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' propertyName: type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' maxItems: 100 type: array project_routing: description: Controls [cross-project search](https://www.elastic.co/docs/explore-analyze/cross-project-search/cross-project-search-project-routing) behavior for this dashboard (Serverless only). Set to `_alias:_origin` to scope data to the current project, or `_alias:*` to search across all projects. When omitted, the space default applies. type: string query: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' refresh_interval: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema' tags: description: Tag IDs to associate with this dashboard. items: type: string maxItems: 100 type: array time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: description: A human-readable title for the dashboard. minLength: 1 type: string required: - options - query - refresh_interval - time_range - title - access_control title: kbn-dashboard-data type: object Kibana_HTTP_APIs_kbn-dashboard-dropped-panel-warning: additionalProperties: false description: A panel that was excluded from the response because its type is not supported by the API. properties: message: description: Human-readable explanation of why the panel was dropped. type: string panel_config: additionalProperties: true description: The original configuration of the dropped panel. type: object properties: {} panel_references: description: Saved object references used by the dropped panel. items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' maxItems: 100 type: array panel_type: description: The type identifier of the dropped panel. type: string type: enum: - dropped_panel type: string required: - type - message - panel_type - panel_config title: Dropped panel type: object Kibana_HTTP_APIs_kbn-dashboard-options: additionalProperties: false default: auto_apply_filters: true hide_panel_borders: false hide_panel_titles: false sync_colors: false sync_cursor: true sync_tooltips: false use_margins: true description: Display and behavior settings for the dashboard. properties: auto_apply_filters: default: true description: When `true`, control filter changes are applied automatically. When `false`, control filter changes are applied manually through the dashboard's search update button. Defaults to `true`. type: boolean hide_panel_borders: default: false description: When `true`, panel borders are hidden. Defaults to `false`. type: boolean hide_panel_titles: default: false description: When `true`, panel titles are hidden. Defaults to `false`. type: boolean sync_colors: default: false description: When `true`, colors are synchronized across panels that share a data source. Defaults to `false`. type: boolean sync_cursor: default: true description: When `true`, the cursor position is synchronized across panels. Defaults to `true`. type: boolean sync_tooltips: default: false description: When `true`, tooltips are synchronized across panels. Defaults to `false`. type: boolean use_margins: default: true description: When `true`, panels are separated by a margin. Defaults to `true`. type: boolean title: Options type: object Kibana_HTTP_APIs_kbn-dashboard-panel-grid: additionalProperties: false description: The position and size of the panel on the dashboard grid. properties: h: default: 15 description: The height of the panel in grid units. Minimum `1`. Defaults to `15`. minimum: 1 type: number w: default: 24 description: The width of the panel in grid units. Minimum `1`, maximum `48`. Defaults to `24`. maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units. type: number 'y': description: The y coordinate of the panel in grid units. type: number required: - x - 'y' title: Panel grid type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session: additionalProperties: false properties: config: anyOf: - additionalProperties: false description: Panel configuration stored inline properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean tabs: description: Inline tab configuration. Used when no `ref_id` is set. Currently supports one tab. items: anyOf: - additionalProperties: false type: object properties: column_order: description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. items: description: Field name of a column in display order. type: string maxItems: 100 type: array column_settings: additionalProperties: additionalProperties: false type: object properties: width: description: Optional width of the column in pixels. minimum: 0 type: number description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. type: object data_source: discriminator: mapping: data_view_reference: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' data_view_spec: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' propertyName: type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' density: description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). enum: - compact - expanded - normal type: string filters: default: [] description: List of filters to apply to the data in the tab. items: description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). discriminator: mapping: condition: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' dsl: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' group: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' spatial: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' propertyName: type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' maxItems: 100 type: array header_row_height: anyOf: - maximum: 5 minimum: 1 type: number - enum: - auto type: string description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). query: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' row_height: anyOf: - maximum: 20 minimum: 1 type: number - enum: - auto type: string description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". rows_per_page: description: The number of rows to display per page in the data table. If omitted, defaults to the advanced setting "discover:sampleRowsPerPage". maximum: 10000 minimum: 1 type: number sample_size: description: The number of documents to sample for the data table. If omitted, defaults to the advanced setting "discover:sampleSize". maximum: 10000 minimum: 10 type: number sort: default: [] description: Sort configuration for the data table (field and direction). items: additionalProperties: false type: object properties: direction: description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' enum: - asc - desc type: string name: description: The name of the field to sort by. type: string required: - name - direction maxItems: 100 type: array view_mode: default: documents description: Discover view mode. Choose "documents" (search hits), "patterns" (pattern analysis), or "aggregated" (field statistics). enum: - documents - patterns - aggregated type: string required: - query - data_source - additionalProperties: false type: object properties: column_order: description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. items: description: Field name of a column in display order. type: string maxItems: 100 type: array column_settings: additionalProperties: additionalProperties: false type: object properties: width: description: Optional width of the column in pixels. minimum: 0 type: number description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. type: object data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' density: description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). enum: - compact - expanded - normal type: string header_row_height: anyOf: - maximum: 5 minimum: 1 type: number - enum: - auto type: string description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). row_height: anyOf: - maximum: 20 minimum: 1 type: number - enum: - auto type: string description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". sort: default: [] description: Sort configuration for the data table (field and direction). items: additionalProperties: false type: object properties: direction: description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' enum: - asc - desc type: string name: description: The name of the field to sort by. type: string required: - name - direction maxItems: 100 type: array required: - data_source maxItems: 1 minItems: 1 type: array time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string required: - time_range - tabs title: By value type: object - additionalProperties: false description: Panel configuration stored in a linked library item properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean overrides: additionalProperties: false default: {} type: object properties: column_order: description: When set, overrides column order for the data table relative to the referenced saved object (`ref_id`) or the inline tab in `tabs`. If omitted, the source configuration is used. items: description: Field name of a column in display order. type: string maxItems: 100 type: array column_settings: additionalProperties: additionalProperties: false type: object properties: width: description: Optional width of the column in pixels. minimum: 0 type: number description: Per-column presentation overrides (e.g. widths) keyed by field name. When set, merges with the source configuration for the referenced session or inline tab. type: object density: description: 'Data grid row spacing: `compact`, `expanded`, or `normal`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' enum: - compact - expanded - normal type: string header_row_height: anyOf: - maximum: 5 minimum: 1 type: number - enum: - auto type: string description: 'Header row height: number (1–5) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' row_height: anyOf: - maximum: 20 minimum: 1 type: number - enum: - auto type: string description: 'Data row height: number (1–20) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:rowHeightOption".' rows_per_page: description: Number of rows per page. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleRowsPerPage". maximum: 10000 minimum: 1 type: number sample_size: description: Number of documents to sample. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleSize". maximum: 10000 minimum: 10 type: number sort: description: Sort configuration (field and direction) for the data table. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used. items: additionalProperties: false type: object properties: direction: description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' enum: - asc - desc type: string name: description: The name of the field to sort by. type: string required: - name - direction maxItems: 100 type: array ref_id: type: string selected_tab_id: description: Tab to select from the referenced saved object. If omitted, defaults to the first tab. type: string time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string required: - time_range - ref_id title: By reference type: object grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - discover_session type: string required: - grid - type - config title: Discover session type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control: additionalProperties: false properties: config: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - esql_control type: string required: - grid - type - config title: ES|QL variable control type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-image: additionalProperties: false properties: config: additionalProperties: false description: Image embeddable schema type: object properties: description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_click_image type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_image - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean image_config: additionalProperties: false type: object properties: alt_text: type: string background_color: type: string object_fit: default: contain description: How the image should be sized within its container enum: - fill - contain - cover - none type: string src: anyOf: - additionalProperties: false properties: file_id: type: string type: enum: - file type: string required: - type - file_id title: file type: object - additionalProperties: false properties: type: enum: - url type: string url: description: URL of the image type: string required: - type - url title: url type: object description: Image source required: - src title: type: string required: - image_config grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - image type: string required: - grid - type - config title: Image type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown: additionalProperties: false properties: config: anyOf: - additionalProperties: false description: Panel configuration stored inline properties: content: type: string description: type: string hide_border: type: boolean hide_title: type: boolean settings: additionalProperties: false type: object properties: open_links_in_new_tab: default: true type: boolean title: type: string required: - content - settings title: By value type: object - additionalProperties: false description: Panel configuration stored in a linked library item properties: description: type: string hide_border: type: boolean hide_title: type: boolean ref_id: description: The unique identifier of the markdown library item. type: string title: type: string required: - ref_id title: By reference type: object description: Markdown panel config grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - markdown type: string required: - grid - type - config title: Markdown type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control: additionalProperties: false properties: config: additionalProperties: false type: object properties: data_view_id: description: The ID of the data view that provides field options for this control. minLength: 1 type: string display_settings: additionalProperties: false type: object properties: hide_action_bar: description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. type: boolean hide_exclude: description: When `true`, the exclude mode toggle is hidden from the control. type: boolean hide_exists: description: When `true`, the exists filter option is hidden from the control. type: boolean hide_sort: description: When `true`, the sort selector is hidden from the control. type: boolean placeholder: description: Placeholder text displayed in the control input when no option is selected. type: string exclude: default: false description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. type: boolean exists_selected: default: false description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. type: boolean field_name: description: The name of the field in the data view that this control filters on. minLength: 1 type: string ignore_validations: default: false description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. type: boolean run_past_timeout: default: false description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. type: boolean search_technique: default: wildcard description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. enum: - prefix - wildcard - exact type: string selected_options: default: [] description: The list of currently selected option values. items: anyOf: - type: string - type: number description: A selected option value. Accepts a string or a number. maxItems: 10000 type: array single_select: default: false description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. type: boolean sort: additionalProperties: false default: by: _count direction: desc description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' type: object properties: by: description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. enum: - _count - _key type: string direction: description: The sort direction. `asc` sorts ascending and `desc` sorts descending. enum: - asc - desc type: string required: - by - direction title: description: A human-readable title for the control. type: string use_global_filters: default: true description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. type: boolean required: - data_view_id - field_name grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - options_list_control type: string required: - grid - type - config title: Options list control type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control: additionalProperties: false properties: config: additionalProperties: false type: object properties: data_view_id: description: The ID of the data view that provides field options for this control. minLength: 1 type: string field_name: description: The name of the field in the data view that this control filters on. minLength: 1 type: string ignore_validations: default: false description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. type: boolean step: default: 1 description: The step size between selectable range values. minimum: 0 type: number title: description: A human-readable title for the control. type: string use_global_filters: default: true description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. type: boolean value: description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. items: type: string maxItems: 2 minItems: 2 type: array required: - data_view_id - field_name grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - range_slider_control type: string required: - grid - type - config title: Range slider control type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts: additionalProperties: false properties: config: $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-alerts-embeddable' grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - slo_alerts type: string required: - grid - type - config title: SLO alerts type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate: additionalProperties: false properties: config: $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-burn-rate-embeddable' grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - slo_burn_rate type: string required: - grid - type - config title: SLO burn rate type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget: additionalProperties: false properties: config: $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-error-budget-embeddable' grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - slo_error_budget type: string required: - grid - type - config title: SLO error budget type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview: additionalProperties: false properties: config: description: SLO Overview embeddable schema discriminator: mapping: groups: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' single: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' propertyName: overview_mode oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - slo_overview type: string required: - grid - type - config title: SLO overview type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors: additionalProperties: false properties: config: additionalProperties: false description: Synthetics monitors embeddable schema type: object properties: description: type: string filters: additionalProperties: false type: object properties: locations: description: Filter by monitor locations items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array monitor_ids: description: Filter by monitor IDs items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 5000 type: array monitor_types: description: Filter by monitor types items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 10 type: array projects: description: Filter by project items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array tags: description: Filter by tags items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean title: type: string view: description: View mode for the monitors embeddable (defaults to cardView) enum: - cardView - compactView type: string grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - synthetics_monitors type: string required: - grid - type - config title: Synthetics monitors type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview: additionalProperties: false properties: config: additionalProperties: false description: Synthetics stats overview embeddable schema type: object properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: additionalProperties: false type: object properties: locations: description: Filter by monitor locations items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array monitor_ids: description: Filter by monitor IDs items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 5000 type: array monitor_types: description: Filter by monitor types items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 10 type: array projects: description: Filter by project items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array tags: description: Filter by tags items: additionalProperties: false type: object properties: label: description: Display label for the filter option type: string value: description: Value for the filter option type: string required: - label - value maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean title: type: string grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - synthetics_stats_overview type: string required: - grid - type - config title: Synthetics stats overview type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control: additionalProperties: false properties: config: additionalProperties: false type: object properties: end_percentage_of_time_range: default: 1 description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. maximum: 1 minimum: 0 type: number is_anchored: default: false description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. type: boolean start_percentage_of_time_range: default: 0 description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. maximum: 1 minimum: 0 type: number grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - time_slider_control type: string required: - grid - type - config title: Time slider control type: object Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis: additionalProperties: false properties: config: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleESQL' description: Panel configuration stored inline title: By value - additionalProperties: false description: Panel configuration stored in a linked library item properties: description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean ref_id: type: string references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string required: - ref_id - time_range title: By reference type: object description: Lens embeddable schema grid: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' id: description: The unique ID of the panel. type: string type: enum: - vis type: string required: - grid - type - config title: Visualization type: object Kibana_HTTP_APIs_kbn-dashboard-section: additionalProperties: false description: A collapsible group of panels. properties: collapsed: default: false description: When `true`, the section is collapsed and its panels are not rendered until expanded. Useful for improving initial load time on large dashboards. Defaults to `false`. type: boolean grid: additionalProperties: false type: object properties: 'y': description: The y coordinate of the section in grid units. type: number required: - 'y' id: description: The unique ID of the section. type: string panels: default: [] description: The panels that belong to the section. items: discriminator: mapping: discover_session: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' image: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' markdown: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' slo_alerts: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' slo_burn_rate: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' slo_error_budget: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' slo_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' synthetics_monitors: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' synthetics_stats_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' vis: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' propertyName: type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' maxItems: 100 type: array title: description: The title of the section. type: string required: - title - grid title: Section type: object Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema: additionalProperties: false description: Specifies the auto-refresh interval for the object. properties: pause: description: When `true`, auto-refresh is paused. type: boolean value: description: The refresh interval in milliseconds. type: number required: - pause - value title: Refresh interval type: object x-oas-optional: true Kibana_HTTP_APIs_kbn-data-view-field-setting: additionalProperties: false description: Display overrides for a field. These settings can define a custom label, description, and format. properties: custom_description: description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. minLength: 1 title: Custom description type: string custom_label: description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. minLength: 1 title: Custom label type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' required: - format title: Field settings type: object Kibana_HTTP_APIs_kbn-data-view-reference-schema: additionalProperties: false properties: ref_id: description: 'The id of the Kibana data view to use as the data source. Example: "my-data-view".' type: string type: enum: - data_view_reference type: string required: - type - ref_id title: Data view reference type: object Kibana_HTTP_APIs_kbn-data-view-spec-schema: additionalProperties: false properties: field_settings: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-settings-entry' type: object index_pattern: description: 'The index pattern (Elasticsearch index expression) to use as the data source. Example: "my-index-*".' type: string time_field: description: 'The name of the time field in the index. Used for time-based filtering. Example: "@timestamp".' type: string type: enum: - data_view_spec type: string required: - type - index_pattern title: Data view inline spec type: object Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema: additionalProperties: false description: Specifies the time range for a query. properties: from: description: The start of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now-7d`) or ISO 8601 timestamps. type: string mode: description: The time range mode. Use `absolute` for fixed start and end timestamps. Use `relative` for [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions that are re-evaluated at query time (for example, `now-7d`). enum: - absolute - relative type: string to: description: The end of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now`) or ISO 8601 timestamps. type: string required: - from - to title: Time range type: object x-oas-optional: true Kibana_HTTP_APIs_kbn-field-format: additionalProperties: false description: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. properties: params: {} type: type: string required: - type - params title: Format type: object x-oas-optional: true Kibana_HTTP_APIs_kbn-field-settings-entry: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-composite-runtime-field-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' description: Display overrides for an indexed field, or a runtime field definition when `type` is set to a runtime field kind. title: Field settings or runtime field Kibana_HTTP_APIs_kbn-runtime-field-schema: additionalProperties: false properties: custom_description: description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. minLength: 1 title: Custom description type: string custom_label: description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. minLength: 1 title: Custom label type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' script: description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. minLength: 1 title: Script type: string type: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-type' required: - format - type title: Runtime field type: object Kibana_HTTP_APIs_kbn-runtime-field-type: description: The type of the runtime field (e.g., "keyword", "long", "date"). enum: - keyword - long - double - date - ip - boolean - geo_point title: Type type: string Kibana_HTTP_APIs_lastValueOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_legacyColorByValue: additionalProperties: false deprecated: true description: Legacy color by value configuration properties: palette: description: The legacy palette name. type: string range: description: Determines whether the range is interpreted as absolute or as a percentage of the data. enum: - absolute - percentage type: string shift: description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. type: boolean steps: description: Array of ordered color steps defining the range each color is applied. items: additionalProperties: false type: object properties: color: description: The color to use for this step. type: string gte: description: The lower bound of range from which this color applies (inclusive). nullable: true type: number lt: description: The upper bound of range to which this color applies (exclusive). nullable: true type: number lte: description: The upper bound of range to which this color applies (inclusive). nullable: true type: number required: - color maxItems: 100 minItems: 1 type: array type: enum: - legacy_dynamic type: string required: - type - range - steps - palette - shift title: Legacy color by value type: object Kibana_HTTP_APIs_legacyColorByValueAbsolute: additionalProperties: false deprecated: true description: Legacy color by absolute value configuration properties: palette: description: The legacy palette name. type: string range: enum: - absolute type: string shift: description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. type: boolean steps: description: Array of ordered color steps defining the range each color is applied. items: additionalProperties: false type: object properties: color: description: The color to use for this step. type: string gte: description: The lower bound of range from which this color applies (inclusive). nullable: true type: number lt: description: The upper bound of range to which this color applies (exclusive). nullable: true type: number lte: description: The upper bound of range to which this color applies (inclusive). nullable: true type: number required: - color maxItems: 100 minItems: 1 type: array type: enum: - legacy_dynamic type: string required: - type - range - steps - palette - shift title: Legacy color by value (absolute) type: object Kibana_HTTP_APIs_legacyMetricCountMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_legacyMetricFormula: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: description: Time scale enum: - s - m - h - d type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_legacyMetricLastValue: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_legacyMetricNoESQL: additionalProperties: false description: Legacy Metric configuration using a data view. Superseded by the Metric chart type. properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentileRanks' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricFormula' query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - legacy_metric type: string required: - type - filters - query - data_source - metric - time_range title: Legacy Metric Chart (DSL) type: object Kibana_HTTP_APIs_legacyMetricPercentile: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_legacyMetricPercentileRanks: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_legacyMetricStatsMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_legacyMetricSumMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_legacyMetricUniqueCountMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration based on the metric value. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string labels: additionalProperties: false description: Labels configuration type: object properties: alignment: default: top description: Label alignment enum: - top - bottom type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string size: description: Font size for the label and value enum: - xs - s - m - l - xl - xxl type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string values: additionalProperties: false description: Values configuration type: object properties: alignment: default: left description: Value alignment enum: - left - center - right type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_legendSize: description: Legend size. enum: - auto - s - m - l - xl title: Legend Size type: string x-oas-optional: true Kibana_HTTP_APIs_lensApiConfigNoESQL: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' title: Visualizations (DSL) Kibana_HTTP_APIs_lensPanelFilters: description: Filters applied to the panel items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). maxItems: 100 title: lensPanelFilters type: array x-oas-optional: true Kibana_HTTP_APIs_lensResponseItem: additionalProperties: false properties: data: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensApiConfigNoESQL' id: type: string meta: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-meta' required: - id - data - meta title: Visualization Response type: object Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: anyOf: - additionalProperties: false type: object properties: count: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string value: type: number required: - comparator - value criteria: items: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string field: type: string value: anyOf: - type: string - type: number required: - field - comparator - value type: array groupBy: items: type: string type: array logView: additionalProperties: false type: object properties: logViewId: type: string type: enum: - log-view-reference type: string required: - logViewId - type timeSize: type: number timeUnit: enum: - s - m - h - d type: string required: - criteria - count - timeUnit - timeSize - logView - additionalProperties: false type: object properties: count: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string value: type: number required: - comparator - value criteria: items: items: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string field: type: string value: anyOf: - type: string - type: number required: - field - comparator - value type: array type: array groupBy: items: type: string type: array logView: additionalProperties: false type: object properties: logViewId: type: string type: enum: - log-view-reference type: string required: - logViewId - type timeSize: type: number timeUnit: enum: - s - m - h - d type: string required: - criteria - count - timeUnit - timeSize - logView description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. title: Log Threshold Rule Params rule_type_id: enum: - logs.alert.document.count type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Log threshold type: object Kibana_HTTP_APIs_metricBarBackgroundChart: additionalProperties: false description: Bar chart shown as background context behind the primary metric value. properties: max_value: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_differencesOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_movingAverageOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_cumulativeSumOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_counterRateOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' description: Metric dimension configuration, supporting field-based aggregations (count, sum, average, median, standard deviation, unique count, last value), percentile operations, time-series operations (differences, moving average, cumulative sum, counter rate), and mathematical formulas. title: Metric Operation orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' type: enum: - bar type: string required: - type - orientation - max_value title: Bar Background Chart type: object Kibana_HTTP_APIs_metricBreakdownDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' columns: default: 3 description: Number of columns. type: number drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_metricBreakdownFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' columns: default: 3 description: Number of columns. type: number filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_metricBreakdownHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' columns: default: 3 description: Number of columns. type: number field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_metricBreakdownRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' columns: default: 3 description: Number of columns. type: number field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_metricBreakdownTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' columns: default: 3 description: Number of columns. type: number excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_metricCompareToBaseline: additionalProperties: false properties: baseline: default: 0 description: Baseline value. type: number icon: description: When `true`, displays the icon for the secondary value. type: boolean palette: description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' type: string to: enum: - baseline type: string value: description: When `true`, displays the secondary value. type: boolean required: - to title: Compare To Baseline type: object Kibana_HTTP_APIs_metricCompareToPrimary: additionalProperties: false properties: icon: description: When `true`, displays the icon for the secondary value. type: boolean palette: description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' type: string to: enum: - primary type: string value: description: When `true`, displays the secondary value. type: boolean required: - to title: Compare To Primary type: object Kibana_HTTP_APIs_metricComplementaryBar: additionalProperties: false properties: max_value: additionalProperties: false type: object properties: column: description: Column to use type: string label: description: Label for the operation type: string required: - column orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' type: enum: - bar type: string required: - type - orientation - max_value title: Complementary Bar type: object x-oas-optional: true Kibana_HTTP_APIs_metricComplementaryViz: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBarBackgroundChart' - additionalProperties: false type: object properties: type: enum: - trend type: string required: - type description: Secondary visualization displayed behind the primary metric value, either a bar chart (with optional max value) or a trend line. title: Complementary Visualization x-oas-optional: true Kibana_HTTP_APIs_metricESQL: additionalProperties: false description: Metric chart configuration for ES|QL queries properties: breakdown_by: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' column: description: Column to use type: string columns: default: 3 description: Number of columns. type: number format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - collapse_by data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metrics: description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. items: anyOf: - additionalProperties: false type: object properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryBar' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string subtitle: description: Subtitle below the primary metric value. type: string type: enum: - primary type: string required: - column - format - type - background_chart - additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' column: description: Column to use type: string compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string type: enum: - secondary type: string required: - column - format - type maxItems: 2 minItems: 1 type: array references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - metric type: string required: - type - filters - data_source - styling - metrics - time_range title: Metric Chart (ES|QL) type: object Kibana_HTTP_APIs_metricIconConfig: additionalProperties: false description: Icon configuration for the metric chart properties: alignment: description: 'Icon alignment. Accepted values: `left`, `right`. Defaults to `right`.' enum: - left - right type: string name: description: Icon name enum: - alert - asterisk - bell - bolt - bug - compute - editor_comment - flag - globe - heart - map_marker - pin - sort_down - sort_up - star_empty - tag - temperature type: string required: - name title: Icon Configuration type: object x-oas-optional: true Kibana_HTTP_APIs_metricNoESQL: additionalProperties: false description: Metric chart configuration for standard queries properties: breakdown_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownFilters' data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metrics: description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. items: anyOf: - anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimarySumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryFormula' - anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondarySumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryFormula' maxItems: 2 minItems: 1 type: array query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - metric type: string required: - type - filters - query - data_source - styling - metrics - time_range title: Metric Chart (DSL) type: object Kibana_HTTP_APIs_metricPrimaryCounterRate: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Counter Rate Operation type: object Kibana_HTTP_APIs_metricPrimaryCountMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - operation - type - background_chart title: Count Metric Operation type: object Kibana_HTTP_APIs_metricPrimaryCumulativeSum: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_metricPrimaryDifferences: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - operation - of - type - background_chart title: Differences Operation type: object Kibana_HTTP_APIs_metricPrimaryFormula: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: description: Time scale enum: - s - m - h - d type: string type: enum: - primary type: string required: - format - operation - formula - filter - type - background_chart title: Formula Operation type: object Kibana_HTTP_APIs_metricPrimaryLastValue: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - time_field - type - background_chart title: Last Value Operation type: object Kibana_HTTP_APIs_metricPrimaryMovingAverage: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of - type - background_chart title: Moving Average Operation type: object Kibana_HTTP_APIs_metricPrimaryPercentile: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Percentile Operation type: object Kibana_HTTP_APIs_metricPrimaryPercentileRanks: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_metricPrimaryStatsMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Stats Metric Operation type: object Kibana_HTTP_APIs_metricPrimarySumMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Sum Metric Operation type: object Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric: additionalProperties: false properties: apply_color_to: description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' enum: - value - background type: string background_chart: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the primary metric value or background. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string subtitle: description: Subtitle below the primary metric value. type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - primary type: string required: - format - filter - time_scale - field - operation - type - background_chart title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. properties: alertOnNoData: type: boolean criteria: items: additionalProperties: false type: object properties: comparator: type: string customMetric: additionalProperties: false type: object properties: aggregation: type: string field: type: string id: type: string label: type: string type: enum: - custom type: string required: - type - id - field - aggregation metric: type: string threshold: items: type: number type: array timeSize: type: number timeUnit: type: string warningComparator: type: string warningThreshold: items: type: number type: array required: - threshold - comparator - timeUnit - timeSize - metric type: array filterQuery: type: string nodeType: type: string schema: type: string sourceId: type: string required: - criteria - nodeType - sourceId title: Metric Inventory Threshold Rule Params type: object rule_type_id: enum: - metrics.alert.inventory.threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Metric inventory threshold type: object Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. properties: alertOnGroupDisappear: description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. type: boolean alertOnNoData: description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. type: boolean criteria: items: anyOf: - additionalProperties: false type: object properties: aggType: enum: - count type: string comparator: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - aggType - additionalProperties: false type: object properties: aggType: type: string comparator: type: string metric: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - metric - aggType - additionalProperties: false type: object properties: aggType: enum: - custom type: string comparator: type: string customMetrics: items: anyOf: - additionalProperties: false type: object properties: aggType: type: string field: type: string name: type: string required: - name - aggType - field - additionalProperties: false type: object properties: aggType: enum: - count type: string filter: type: string name: type: string required: - name - aggType type: array equation: type: string label: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - aggType - customMetrics type: array filterQuery: description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. type: string groupBy: anyOf: - type: string - items: type: string type: array description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' sourceId: type: string required: - criteria - sourceId title: Metric Threshold Rule Params type: object rule_type_id: enum: - metrics.alert.threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Metric threshold type: object Kibana_HTTP_APIs_metricSecondaryCounterRate: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Counter Rate Operation type: object Kibana_HTTP_APIs_metricSecondaryCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - operation - type title: Count Metric Operation type: object Kibana_HTTP_APIs_metricSecondaryCumulativeSum: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_metricSecondaryDifferences: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - operation - of - type title: Differences Operation type: object Kibana_HTTP_APIs_metricSecondaryFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string type: enum: - secondary type: string required: - format - operation - formula - filter - type title: Formula Operation type: object Kibana_HTTP_APIs_metricSecondaryLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - time_field - type title: Last Value Operation type: object Kibana_HTTP_APIs_metricSecondaryMovingAverage: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of - type title: Moving Average Operation type: object Kibana_HTTP_APIs_metricSecondaryPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Percentile Operation type: object Kibana_HTTP_APIs_metricSecondaryPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_metricSecondaryStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Stats Metric Operation type: object Kibana_HTTP_APIs_metricSecondarySumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Sum Metric Operation type: object Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' compare: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' description: Compare the secondary metric to a baseline value or to the primary metric. empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string type: enum: - secondary type: string required: - format - filter - time_scale - field - operation - type title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_metricStyling: additionalProperties: false description: Visual chart styling options properties: icon: $ref: '#/components/schemas/Kibana_HTTP_APIs_metricIconConfig' primary: additionalProperties: false type: object properties: labels: additionalProperties: false description: Labels (title and subtitle) configuration type: object properties: alignment: description: 'Horizontal alignment for the title and subtitle text. Accepted values: `left`, `center`, `right`. Defaults to `left`.' enum: - left - center - right type: string position: description: Position of the primary metric value (top, middle, or bottom). enum: - top - middle - bottom type: string value: additionalProperties: false description: Primary metric value configuration type: object properties: alignment: description: 'Alignment for the primary metric value. Accepted values: `left`, `center`, `right`. Defaults to `right`.' enum: - left - center - right type: string sizing: description: Controls how the primary value text is sized within the panel. 'auto' selects a font size from predefined breakpoints based on panel height, then shrinks if the text overflows horizontally. 'fill' scales the text to be as large as possible, filling all available space. enum: - auto - fill type: string secondary: additionalProperties: false type: object properties: label: additionalProperties: false type: object properties: placement: description: Label placement relative to the secondary metric value (before or after). enum: - before - after type: string visible: description: When `true`, displays the label. type: boolean value: additionalProperties: false description: Secondary metric value configuration type: object properties: alignment: description: 'Alignment for secondary values. Accepted values: `left`, `center`, `right`. Defaults to `right`.' enum: - left - center - right type: string required: - icon title: metricStyling type: object x-oas-optional: true Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Cluster Health Rule Params type: object rule_type_id: enum: - monitoring_alert_cluster_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Cluster health type: object Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: CPU Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_cpu_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: CPU usage type: object Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Disk Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_disk_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Disk usage type: object Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: ES Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_elasticsearch_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Elasticsearch version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Memory Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_jvm_memory_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: JVM memory usage type: object Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Kibana Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_kibana_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Kibana version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: License Expiration Rule Params type: object rule_type_id: enum: - monitoring_alert_license_expiration type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: License expiration type: object Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Logstash Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_logstash_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Logstash version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Missing Monitoring Data Rule Params type: object rule_type_id: enum: - monitoring_alert_missing_monitoring_data type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Missing monitoring data type: object Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Nodes Changed Rule Params type: object rule_type_id: enum: - monitoring_alert_nodes_changed type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Nodes changed type: object Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string threshold: type: number required: - duration title: Thread Pool Search Rejections Rule Params type: object rule_type_id: enum: - monitoring_alert_thread_pool_search_rejections type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Thread pool search rejections type: object Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string threshold: type: number required: - duration title: Thread Pool Write Rejections Rule Params type: object rule_type_id: enum: - monitoring_alert_thread_pool_write_rejections type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Thread pool write rejections type: object Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: CCR Read Exceptions Rule Params type: object rule_type_id: enum: - monitoring_ccr_read_exceptions type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: CCR read exceptions type: object Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string indexPattern: type: string limit: type: string threshold: type: number required: - duration - indexPattern title: Large Shard Size Rule Params type: object rule_type_id: enum: - monitoring_shard_size type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Large shard size type: object Kibana_HTTP_APIs_mosaicESQL: additionalProperties: false description: Mosaic chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_breakdown_by: description: Array of group breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color - collapse_by maxItems: 100 minItems: 1 type: array group_by: description: Array of breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color - collapse_by maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' metric: additionalProperties: false description: Metric configuration for ES|QL mode, combining generic options, primary metric options, and column selection type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - mosaic type: string required: - type - filters - data_source - legend - styling - metric - time_range title: Mosaic Chart (ES|QL) type: object Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_mosaicGroupByDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - color - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_mosaicGroupByFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - color - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_mosaicGroupByHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - color - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_mosaicGroupByRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - color - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_mosaicGroupByTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - color - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_mosaicLegend: additionalProperties: false description: Legend configuration for mosaic chart appearance and behavior properties: nested: description: Show nested legend with hierarchical breakdown levels type: boolean size: $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' truncate_after_lines: description: Number of lines before legend items are truncated. maximum: 10 minimum: 1 title: legendTruncateAfterLines type: number visibility: description: Legend visibility. enum: - auto - visible - hidden type: string required: - size title: Legend type: object x-oas-optional: true Kibana_HTTP_APIs_mosaicMetricCounterRate: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_mosaicMetricCountMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_mosaicMetricCumulativeSum: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_mosaicMetricDifferences: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_mosaicMetricFormula: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_mosaicMetricLastValue: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_mosaicMetricMovingAverage: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_mosaicMetricPercentile: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_mosaicMetricPercentileRanks: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_mosaicMetricStatsMetric: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_mosaicMetricSumMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_mosaicNoESQL: additionalProperties: false description: Mosaic chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_breakdown_by: description: Array of group breakdown dimensions (minimum 1) items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters' maxItems: 100 minItems: 1 type: array group_by: description: Array of breakdown dimensions (minimum 1) items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByFilters' maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' metric: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricFormula' query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - mosaic type: string required: - type - filters - data_source - query - legend - styling - metric - time_range title: Mosaic Chart (DSL) type: object Kibana_HTTP_APIs_mosaicStyling: additionalProperties: false description: Visual chart styling options properties: values: $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' required: - values title: Mosaic styling type: object x-oas-optional: true Kibana_HTTP_APIs_movingAverageOperation: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_multi_field_key: additionalProperties: false properties: keys: items: type: string maxItems: 100 type: array type: enum: - multi_field_key type: string required: - type - keys title: Multi Field Key type: object Kibana_HTTP_APIs_new_output_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: new_output_elasticsearch type: object Kibana_HTTP_APIs_new_output_kafka: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password title: new_output_kafka type: object Kibana_HTTP_APIs_new_output_logstash: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts title: new_output_logstash type: object Kibana_HTTP_APIs_new_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: new_output_remote_elasticsearch type: object Kibana_HTTP_APIs_noColor: additionalProperties: false description: Explicitly disables coloring properties: type: enum: - none type: string required: - type title: No Color type: object Kibana_HTTP_APIs_numericFormat: additionalProperties: false description: Number or percentage format with optional decimal places, suffix, and compact notation. properties: compact: default: false description: When `true`, uses compact notation (for example, 1.2k instead of 1,200). Defaults to `false`. type: boolean decimals: default: 2 description: Number of decimal places to display. type: number suffix: description: Suffix appended to the formatted value. type: string type: description: 'Value format type: `number` for plain numbers, `percent` for percentages.' enum: - number - percent type: string required: - type title: Numeric Format type: object Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. properties: alertOnGroupDisappear: type: boolean alertOnNoData: type: boolean criteria: items: additionalProperties: false type: object properties: aggType: enum: - custom type: string comparator: type: string equation: type: string label: type: string metrics: items: anyOf: - additionalProperties: false type: object properties: aggType: type: string field: type: string filter: type: string name: type: string required: - name - aggType - field - additionalProperties: false type: object properties: aggType: enum: - count type: string filter: type: string name: type: string required: - name - aggType type: array threshold: items: type: number type: array timeSize: type: number timeUnit: type: string required: - threshold - comparator - timeUnit - timeSize - metrics type: array groupBy: anyOf: - type: string - items: type: string type: array noDataBehavior: enum: - recover - remainActive - alertOnNoData type: string searchConfiguration: additionalProperties: false type: object properties: filter: items: additionalProperties: false type: object properties: meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array index: anyOf: - type: string - additionalProperties: false type: object properties: allowHidden: type: boolean allowNoIndex: type: boolean fieldAttrs: additionalProperties: additionalProperties: false type: object properties: count: type: number customDescription: maxLength: 300 type: string customLabel: type: string type: object fieldFormats: additionalProperties: additionalProperties: false type: object properties: id: type: string params: {} required: - params type: object fields: additionalProperties: additionalProperties: false type: object properties: aggregatable: type: boolean count: minimum: 0 type: number customDescription: maxLength: 300 type: string customLabel: type: string esTypes: items: type: string type: array format: additionalProperties: false type: object properties: id: type: string params: {} required: - params name: maxLength: 1000 type: string readFromDocValues: type: boolean runtimeField: anyOf: - additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: {} required: - params popularity: minimum: 0 type: number script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type - additionalProperties: false type: object properties: fields: additionalProperties: additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: {} required: - params popularity: minimum: 0 type: number type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type type: object script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - composite type: string required: - type script: maxLength: 1000000 type: string scripted: type: boolean searchable: type: boolean shortDotsEnable: type: boolean subType: additionalProperties: false type: object properties: multi: additionalProperties: false type: object properties: parent: type: string required: - parent nested: additionalProperties: false type: object properties: path: type: string required: - path type: default: string maxLength: 1000 type: string required: - name type: object id: type: string managed: type: boolean name: type: string namespaces: items: type: string type: array runtimeFieldMap: additionalProperties: anyOf: - additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: {} required: - params popularity: minimum: 0 type: number script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type - additionalProperties: false type: object properties: fields: additionalProperties: additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: {} required: - params popularity: minimum: 0 type: number type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type type: object script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - composite type: string required: - type type: object sourceFilters: items: additionalProperties: false type: object properties: clientId: anyOf: - type: string - type: number value: type: string required: - value type: array timeFieldName: type: string title: type: string type: type: string typeMeta: additionalProperties: true type: object properties: {} version: type: string required: - title query: additionalProperties: false type: object properties: language: type: string query: type: string required: - language - query required: - index - query required: - criteria - searchConfiguration title: Custom Threshold Rule Params type: object rule_type_id: enum: - observability.rules.custom_threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Custom threshold type: object Kibana_HTTP_APIs_operationTimeScaleSetting: description: Time scale enum: - s - m - h - d title: Operation Time Scale Setting type: string x-oas-optional: true Kibana_HTTP_APIs_output_elasticsearch: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: output_elasticsearch type: object Kibana_HTTP_APIs_output_kafka: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password title: output_kafka type: object Kibana_HTTP_APIs_output_logstash: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts title: output_logstash type: object Kibana_HTTP_APIs_output_remote_elasticsearch: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: output_remote_elasticsearch type: object Kibana_HTTP_APIs_percentileOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_percentileRanksOperation: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_pieESQL: additionalProperties: false description: Pie chart configuration for ES|QL queries properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color - collapse_by maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' metrics: description: Array of metric configurations (minimum 1) items: additionalProperties: false description: ES|QL column reference for primary metric type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format maxItems: 100 minItems: 1 type: array references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - pie type: string required: - type - filters - data_source - legend - styling - metrics - time_range title: Pie Chart (ES|QL) type: object Kibana_HTTP_APIs_pieGroupByDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - color - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_pieGroupByFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - color - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_pieGroupByHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - color - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_pieGroupByRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - color - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_pieGroupByTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - color - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_pieLegend: additionalProperties: false description: Legend configuration for pie chart properties: nested: description: Show nested legend with hierarchical breakdown levels type: boolean size: $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' truncate_after_lines: description: Number of lines before legend items are truncated. maximum: 10 minimum: 1 title: legendTruncateAfterLines type: number visibility: description: Legend visibility. enum: - auto - visible - hidden type: string required: - size title: Legend type: object x-oas-optional: true Kibana_HTTP_APIs_pieMetricCounterRate: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_pieMetricCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_pieMetricCumulativeSum: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_pieMetricDifferences: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_pieMetricFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_pieMetricLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_pieMetricMovingAverage: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_pieMetricPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_pieMetricPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_pieMetricStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_pieMetricSumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_pieMetricUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_pieNoESQL: additionalProperties: false description: Pie chart configuration for standard queries properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of breakdown dimensions (minimum 1) items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByFilters' maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' metrics: description: Array of metric configurations (minimum 1) items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricFormula' maxItems: 100 minItems: 1 type: array query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - pie type: string required: - type - filters - data_source - query - legend - styling - metrics - time_range title: Pie Chart (DSL) type: object Kibana_HTTP_APIs_pieStyling: additionalProperties: false description: Visual chart styling options properties: donut_hole: description: 'Donut hole size. Accepted values: `none` (full pie), `s`, `m`, `l`.' enum: - none - s - m - l type: string labels: additionalProperties: false description: Label configuration for pie chart slice labels inside or outside the pie type: object properties: position: description: 'Slice label position: `inside` or `outside`.' enum: - inside - outside type: string visible: description: When `true`, displays slice labels. type: boolean values: $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' required: - values title: Pie chart styling type: object x-oas-optional: true Kibana_HTTP_APIs_QueryStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string field_descriptions: additionalProperties: type: string type: object query: additionalProperties: false type: object properties: esql: type: string view: type: string required: - view - esql query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - query type: string required: - description - type - query required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_range_key: additionalProperties: false properties: from: anyOf: - type: string - type: number ranges: items: additionalProperties: false type: object properties: from: anyOf: - type: string - type: number label: type: string to: anyOf: - type: string - type: number required: - from - to - label maxItems: 100 type: array to: anyOf: - type: string - type: number type: enum: - range_key type: string required: - type - from - to - ranges title: Range Key type: object Kibana_HTTP_APIs_rangesOperation: additionalProperties: false properties: field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges title: Ranges Operation type: object Kibana_HTTP_APIs_RecursiveRecord: additionalProperties: anyOf: - anyOf: - type: string - type: number - type: boolean - nullable: true - {} - items: anyOf: - type: string - type: number - type: boolean - nullable: true - {} type: array - items: {} type: array - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' type: object Kibana_HTTP_APIs_regionMapESQL: additionalProperties: false description: Region Map configuration using an ES|QL query, mapping metric values to geographic regions by color. properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: additionalProperties: false type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array region: additionalProperties: false type: object properties: column: description: Column to use type: string ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join label: description: Label for the operation type: string required: - column sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - region_map type: string required: - type - filters - data_source - metric - region - time_range title: Region Map (ES|QL) type: object Kibana_HTTP_APIs_regionMapNoESQL: additionalProperties: false description: Region Map configuration using a data view, mapping metric values to geographic regions by color. properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' description: Metric dimension using a field-based aggregation or a mathematical formula. title: Field Metric or Formula Operation query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array region: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionFilters' sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - region_map type: string required: - type - filters - query - data_source - metric - region - time_range title: Region Map (DSL) type: object Kibana_HTTP_APIs_regionMapRegionDateHistogram: additionalProperties: false properties: drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field title: Date Histogram Operation type: object Kibana_HTTP_APIs_regionMapRegionFilters: additionalProperties: false properties: ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters title: Filters Operation type: object Kibana_HTTP_APIs_regionMapRegionHistogram: additionalProperties: false properties: ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field title: Histogram Operation type: object Kibana_HTTP_APIs_regionMapRegionRanges: additionalProperties: false properties: ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges title: Ranges Operation type: object Kibana_HTTP_APIs_regionMapRegionTerms: additionalProperties: false properties: ems: additionalProperties: false type: object properties: boundaries: description: EMS boundaries type: string join: description: EMS join field type: string required: - boundaries - join excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields title: Terms Operation type: object Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: additionalProperties: false description: The response payload for the bulk create-or-update roles API. properties: created: items: description: The name of a role that was created. type: string type: array errors: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' type: object noop: items: description: The name of a role that was unchanged by the request. type: string type: array updated: items: description: The name of a role that was updated. type: string type: array title: security_bulk_create_or_update_roles_response type: object Kibana_HTTP_APIs_security_bulk_roles_error_detail: additionalProperties: false description: Error information for a single role in a bulk create-or-update request. properties: reason: description: A human readable error reason. type: string type: description: The error type. type: string required: - type - reason title: security_bulk_roles_error_detail type: object Kibana_HTTP_APIs_security_query_roles_response: additionalProperties: false description: The response payload for a roles query. properties: count: description: The number of roles returned in this response page. type: number roles: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' type: array total: description: The total number of roles that match the query. type: number required: - roles - count - total title: security_query_roles_response type: object Kibana_HTTP_APIs_security_role_kibana_application: additionalProperties: false description: A raw Elasticsearch application privilege entry tied to Kibana. properties: application: type: string privileges: items: type: string type: array resources: items: type: string type: array required: - application - privileges - resources title: security_role_kibana_application type: object Kibana_HTTP_APIs_security_role_kibana_privilege_response: additionalProperties: false description: A Kibana privilege entry returned for a role. properties: _reserved: items: description: A reserved Kibana privilege granted globally. type: string type: array base: items: description: A base Kibana privilege. type: string type: array feature: additionalProperties: items: description: A privilege the role member has for the feature. type: string type: array type: object spaces: items: description: A space that the privilege applies to. The wildcard `*` indicates all spaces. type: string type: array required: - spaces - base - feature title: security_role_kibana_privilege_response type: object Kibana_HTTP_APIs_security_role_response: additionalProperties: false description: A Kibana role definition returned by the Roles API. properties: _transform_error: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' type: array _unrecognized_applications: items: description: Application names found on the role that are not recognized by Kibana. type: string type: array description: description: A description for the role. type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string maxItems: 100 type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string maxItems: 100 minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges maxItems: 1000 type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string maxItems: 100 minItems: 1 type: array required: - privileges - clusters maxItems: 100 type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string maxItems: 100 minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges maxItems: 1000 type: array run_as: items: description: A user name that the role member can impersonate. type: string maxItems: 100 type: array kibana: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' type: array metadata: additionalProperties: {} type: object name: description: The role name. type: string transient_metadata: additionalProperties: {} type: object required: - name - elasticsearch - kibana title: security_role_response type: object Kibana_HTTP_APIs_security_role_transform_error: additionalProperties: false description: Diagnostic information about a role whose Kibana privileges could not be transformed. properties: reason: description: The reason the role could not be fully transformed. type: string state: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' type: array required: - reason title: security_role_transform_error type: object Kibana_HTTP_APIs_slo-alerts-embeddable: additionalProperties: false description: SLO Alerts embeddable schema properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean slos: default: [] description: List of SLOs to display alerts for items: additionalProperties: false type: object properties: slo_id: description: SLO ID type: string slo_instance_id: default: '*' description: SLO instance ID type: string required: - slo_id maxItems: 100 type: array title: type: string title: slo-alerts-embeddable type: object Kibana_HTTP_APIs_slo-burn-rate-embeddable: additionalProperties: false description: SLO Burn Rate embeddable schema properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array duration: description: Duration for the burn rate chart in the format [value][unit], e.g. 5m, 3h, or 6d type: string hide_border: type: boolean hide_title: type: boolean slo_id: description: The ID of the SLO to display the burn rate for type: string slo_instance_id: default: '*' description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string title: type: string required: - slo_id - duration title: slo-burn-rate-embeddable type: object Kibana_HTTP_APIs_slo-error-budget-embeddable: additionalProperties: false description: SLO Error Budget embeddable schema properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean slo_id: description: The ID of the SLO to display the error budget for type: string slo_instance_id: default: '*' description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string title: type: string required: - slo_id title: slo-error-budget-embeddable type: object Kibana_HTTP_APIs_slo-group-overview-embeddable: additionalProperties: false description: SLO Group Overview embeddable schema properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array group_filters: additionalProperties: false default: group_by: status type: object properties: filters: items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). maxItems: 500 type: array group_by: default: status enum: - slo.tags - status - slo.indicator.type - _index type: string groups: items: type: string maxItems: 100 type: array kql_query: type: string hide_border: type: boolean hide_title: type: boolean overview_mode: enum: - groups type: string title: type: string required: - overview_mode title: slo-group-overview-embeddable type: object Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. properties: dependencies: items: additionalProperties: false type: object properties: actionGroupsToSuppressOn: items: type: string type: array ruleId: type: string required: - ruleId - actionGroupsToSuppressOn type: array sloId: type: string windows: items: additionalProperties: false type: object properties: actionGroup: type: string burnRateThreshold: type: number id: type: string longWindow: additionalProperties: false type: object properties: unit: type: string value: type: number required: - value - unit maxBurnRateThreshold: nullable: true type: number shortWindow: additionalProperties: false type: object properties: unit: type: string value: type: number required: - value - unit required: - id - burnRateThreshold - maxBurnRateThreshold - longWindow - shortWindow - actionGroup type: array required: - sloId - windows title: SLO Burn Rate Rule Params type: object rule_type_id: enum: - slo.rules.burnRate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: SLO burn rate type: object Kibana_HTTP_APIs_slo-single-overview-embeddable: additionalProperties: false description: SLO Single Overview embeddable schema properties: description: type: string drilldowns: items: additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_open_panel_menu type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array hide_border: type: boolean hide_title: type: boolean overview_mode: enum: - single type: string remote_name: description: The name of the remote SLO type: string slo_id: description: The ID of the SLO type: string slo_instance_id: default: '*' description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string title: type: string required: - slo_id - overview_mode title: slo-single-overview-embeddable type: object Kibana_HTTP_APIs_staticColor: additionalProperties: false description: Fixed color for all values in the dimension. properties: color: description: The static color to be used for all values. type: string type: enum: - static type: string required: - type - color title: Static Color type: object Kibana_HTTP_APIs_staticOperationDefinition: additionalProperties: false properties: format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - static_value type: string value: default: 100 description: Static value type: number required: - format - operation title: Static Operation Definition type: object Kibana_HTTP_APIs_StreamlangConditionBlock: additionalProperties: false type: object properties: condition: $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' customIdentifier: type: string required: - condition Kibana_HTTP_APIs_StreamlangStep: anyOf: - anyOf: - additionalProperties: false description: Grok processor - Extract fields from text using grok patterns type: object properties: action: enum: - grok type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to parse with grok patterns minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: description: Grok patterns applied in order to extract fields items: description: A non-empty string. minLength: 1 type: string minItems: 1 type: array where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - patterns - additionalProperties: false description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser type: object properties: action: enum: - dissect type: string append_separator: description: Separator inserted when target fields are concatenated minLength: 1 type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to parse with dissect pattern minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean pattern: description: Dissect pattern describing field boundaries minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - pattern - additionalProperties: false description: Date processor - Parse dates from strings using one or more expected formats type: object properties: action: enum: - date type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string formats: description: Accepted input date formats, tried in order items: description: A non-empty string. minLength: 1 type: string type: array from: description: Source field containing the date/time text minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean locale: description: Optional locale for date parsing minLength: 1 type: string output_format: description: Optional output format for storing the parsed date as text minLength: 1 type: string timezone: description: Optional timezone for date parsing minLength: 1 type: string to: description: Target field for the parsed date (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - formats - additionalProperties: false type: object properties: action: enum: - drop_document type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - additionalProperties: false type: object properties: action: enum: - math type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string expression: description: A non-empty string. minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - expression - to - additionalProperties: false description: Rename processor - Change a field name and optionally its location type: object properties: action: enum: - rename type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Existing source field to rename or move minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip when source field is missing type: boolean override: description: Allow overwriting the target field if it already exists type: boolean to: description: New field name or destination path minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - to - additionalProperties: false description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) type: object properties: action: enum: - set type: string copy_from: description: Copy value from another field instead of providing a literal minLength: 1 type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean override: description: Allow overwriting an existing target field type: boolean to: description: Target field to set or create minLength: 1 type: string value: description: Literal value to assign to the target field where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - to - additionalProperties: false description: Append processor - Append one or more values to an existing or new array field type: object properties: action: enum: - append type: string allow_duplicates: description: If true, do not deduplicate appended values type: boolean customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean to: description: Array field to append values to minLength: 1 type: string value: description: Values to append (must be literal, no templates) items: {} minItems: 1 type: array where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - to - value - additionalProperties: false description: Remove by prefix processor - Remove a field and all nested fields matching the prefix type: object properties: action: enum: - remove_by_prefix type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Field to remove along with all its nested fields minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean required: - action - from - additionalProperties: false description: Remove processor - Delete one or more fields from the document type: object properties: action: enum: - remove type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Field to remove from the document minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - replace type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean pattern: minLength: 1 type: string replacement: type: string to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - pattern - replacement - additionalProperties: false description: Redact processor - Mask sensitive data using Grok patterns type: object properties: action: enum: - redact type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to redact sensitive data from minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing (defaults to true) type: boolean pattern_definitions: additionalProperties: type: string description: Custom pattern definitions to use in the patterns type: object patterns: description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") items: description: A non-empty string. minLength: 1 type: string minItems: 1 type: array prefix: description: Prefix to prepend to the redacted pattern name (defaults to "<") type: string suffix: description: Suffix to append to the redacted pattern name (defaults to ">") type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - patterns - additionalProperties: false type: object properties: action: enum: - uppercase type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - lowercase type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - trim type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - join type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string delimiter: type: string description: description: Human-readable notes about this processor step type: string from: items: minLength: 1 type: string minItems: 1 type: array ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - delimiter - to - additionalProperties: false description: Split processor - Split a field value into an array using a separator type: object properties: action: enum: - split type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to split into an array minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean preserve_trailing: description: Preserve empty trailing fields in the split result type: boolean separator: description: Regex separator used to split the field value into an array minLength: 1 type: string to: description: Target field for the split array (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - separator - additionalProperties: false type: object properties: action: enum: - sort type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Array field to sort minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean order: description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" enum: - asc - desc type: string to: description: Target field for the sorted array (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) type: object properties: action: enum: - convert type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to convert to a different data type minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean to: description: Target field for the converted value (defaults to source) minLength: 1 type: string type: description: 'Target data type: integer, long, double, boolean, or string' enum: - integer - long - double - boolean - string type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - type - additionalProperties: false type: object properties: action: enum: - concat type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: items: anyOf: - type: object properties: type: enum: - field type: string value: minLength: 1 type: string required: - type - value - type: object properties: type: enum: - literal type: string value: type: string required: - type - value minItems: 1 type: array ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - to - allOf: - additionalProperties: false type: object properties: action: enum: - network_direction type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string destination_ip: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean source_ip: minLength: 1 type: string target_field: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - source_ip - destination_ip - anyOf: - additionalProperties: false type: object properties: internal_networks: items: type: string type: array required: - internal_networks - additionalProperties: false type: object properties: internal_networks_field: minLength: 1 type: string required: - internal_networks_field - additionalProperties: false description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors type: object properties: action: enum: - json_extract type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string extractions: description: List of extraction specifications items: description: A single extraction specification type: object properties: selector: description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") minLength: 1 type: string target_field: description: Target field to store the extracted value minLength: 1 type: string type: description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. enum: - keyword - integer - long - double - boolean type: string required: - selector - target_field minItems: 1 type: array field: description: Source field containing the JSON string to parse minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - field - extractions - additionalProperties: false type: object properties: action: enum: - enrich type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean override: type: boolean policy_name: description: A non-empty string. minLength: 1 type: string to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - policy_name - to - additionalProperties: false description: Manual ingest pipeline wrapper around native Elasticsearch processors type: object properties: action: description: Manual ingest pipeline - executes raw Elasticsearch ingest processors enum: - manual_ingest_pipeline type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean on_failure: description: Fallback processors to run when a processor fails items: additionalProperties: {} type: object type: array processors: description: List of raw Elasticsearch ingest processors to run items: additionalProperties: {} type: object type: array tag: description: Optional ingest processor tag for Elasticsearch type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - processors - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' Kibana_HTTP_APIs_StreamUpsertRequest: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' Kibana_HTTP_APIs_sumMetricOperation: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_tagcloudESQL: additionalProperties: false description: Tag Cloud configuration using an ES|QL query. properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: additionalProperties: false type: object properties: column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' tag_by: additionalProperties: false type: object properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - tag_cloud type: string required: - type - filters - data_source - styling - metric - tag_by - time_range title: Tag Cloud Chart (ES|QL) type: object Kibana_HTTP_APIs_tagcloudMetricCounterRate: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_tagcloudMetricCountMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_tagcloudMetricCumulativeSum: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_tagcloudMetricDifferences: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_tagcloudMetricFormula: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_tagcloudMetricLastValue: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_tagcloudMetricMovingAverage: additionalProperties: false properties: filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_tagcloudMetricPercentile: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_tagcloudMetricPercentileRanks: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_tagcloudMetricStatsMetric: additionalProperties: false properties: field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_tagcloudMetricSumMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_tagcloudNoESQL: additionalProperties: false description: Tag Cloud configuration using a data view. properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean metric: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricFormula' query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' tag_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagFilters' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - tag_cloud type: string required: - type - filters - query - data_source - styling - metric - tag_by - time_range title: Tag Cloud Chart (DSL) type: object Kibana_HTTP_APIs_tagcloudStyling: additionalProperties: false description: Visual chart styling options properties: caption: additionalProperties: false description: Caption configuration representing the metric and the tag_by operations labels type: object properties: visible: default: true description: When `true`, displays the caption. type: boolean font_size: additionalProperties: false description: Font size range for tags. type: object properties: max: default: 72 description: Maximum font size. maximum: 120 type: number min: default: 18 description: Minimum font size. minimum: 1 type: number orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' required: - orientation title: Tag cloud styling type: object x-oas-optional: true Kibana_HTTP_APIs_tagcloudTagDateHistogram: additionalProperties: false properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - color title: Date Histogram Operation type: object Kibana_HTTP_APIs_tagcloudTagFilters: additionalProperties: false properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - color title: Filters Operation type: object Kibana_HTTP_APIs_tagcloudTagHistogram: additionalProperties: false properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - color title: Histogram Operation type: object Kibana_HTTP_APIs_tagcloudTagRanges: additionalProperties: false properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - color title: Ranges Operation type: object Kibana_HTTP_APIs_tagcloudTagTerms: additionalProperties: false properties: color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - color title: Terms Operation type: object Kibana_HTTP_APIs_termsOperation: additionalProperties: false properties: excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields title: Terms Operation type: object Kibana_HTTP_APIs_termsRankByAlphabetical: additionalProperties: false description: Terms ranked alphabetically. properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabeticalDirection' type: enum: - alphabetical type: string required: - type - direction title: Terms Rank By Alphabetical type: object Kibana_HTTP_APIs_termsRankByAlphabeticalDirection: description: Sort direction for alphabetical ranking. enum: - asc - desc title: termsRankByAlphabeticalDirection type: string Kibana_HTTP_APIs_termsRankByCustomCountOperation: additionalProperties: false description: Terms ranked by count, either of all documents or of a specific field. properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' field: description: Numeric field to be used for the custom operation. type: string operation: enum: - count type: string type: enum: - custom type: string required: - type - direction - operation title: Terms Rank By Custom Count Operation type: object Kibana_HTTP_APIs_termsRankByCustomDirection: description: Sort direction for custom ranking. enum: - asc - desc title: termsRankByCustomDirection type: string Kibana_HTTP_APIs_termsRankByCustomOperation: additionalProperties: false description: Terms ranked by custom operation. properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' field: description: Numeric field to be used for the custom operation. type: string operation: enum: - min - max - average - median - standard_deviation - unique_count - sum - last_value type: string type: enum: - custom type: string required: - type - field - direction - operation title: Terms Rank By Custom Operation type: object Kibana_HTTP_APIs_termsRankByMetric: additionalProperties: false description: Terms ranked by a linked metric. properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetricDirection' metric_index: default: 0 description: Zero-based index into the metrics array identifying which metric to rank by. minimum: 0 type: number type: enum: - metric type: string required: - type - direction title: Terms Rank By Metric type: object Kibana_HTTP_APIs_termsRankByMetricDirection: description: Sort direction for metric-based ranking. enum: - asc - desc title: termsRankByMetricDirection type: string Kibana_HTTP_APIs_termsRankByPercentileOperation: additionalProperties: false description: Terms ranked by a percentile of a numeric field, for example the 95th percentile of response time. properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' field: description: Numeric field to be used for the custom operation. type: string operation: enum: - percentile type: string percentile: default: 95 description: The percentile threshold (0–100) at which to compute the field value used for ranking terms. type: number type: enum: - custom type: string required: - type - field - direction - operation title: Terms Rank By Percentile Operation type: object Kibana_HTTP_APIs_termsRankByPercentileRankOperation: additionalProperties: false description: 'Terms ranked by the percentile rank of a single value: the proportion of field values at or below that value.' properties: direction: $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' field: description: Numeric field to be used for the custom operation. type: string operation: enum: - percentile_rank type: string rank: default: 0 description: The numeric value for which to compute the percentile rank (the percentage of field values at or below this value). type: number type: enum: - custom type: string required: - type - field - direction - operation title: Terms Rank By Percentile Rank Operation type: object Kibana_HTTP_APIs_termsRankByRare: additionalProperties: false description: Terms ranked by rarity. properties: max: description: Maximum number of rare terms to include. type: number type: enum: - rare type: string required: - type - max title: Terms Rank By Rarity type: object Kibana_HTTP_APIs_termsRankBySignificant: additionalProperties: false description: Terms ranked by significance. properties: type: enum: - significant type: string required: - type title: Terms Rank By Significance type: object Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. properties: excludeTransforms: default: [] items: type: string nullable: true type: array includeTransforms: items: type: string type: array testsConfig: additionalProperties: false nullable: true type: object properties: errorMessages: additionalProperties: false nullable: true type: object properties: enabled: default: false type: boolean healthCheck: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean notStarted: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean required: - notStarted - errorMessages - healthCheck required: - includeTransforms - testsConfig title: Transform Health Rule Params type: object rule_type_id: enum: - transform_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transform health type: object Kibana_HTTP_APIs_treemapESQL: additionalProperties: false description: Treemap chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color - collapse_by maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' metrics: description: Array of metric configurations (minimum 1) items: additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format maxItems: 100 minItems: 1 type: array references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - treemap type: string required: - type - filters - data_source - legend - styling - metrics - time_range title: Treemap Chart (ES|QL) type: object Kibana_HTTP_APIs_treemapGroupByDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - color - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_treemapGroupByFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - color - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_treemapGroupByHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - color - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_treemapGroupByRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - color - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_treemapGroupByTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - color - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_treemapLegend: additionalProperties: false description: Configuration for the treemap chart legend appearance and behavior properties: nested: description: Show nested legend with hierarchical breakdown levels type: boolean size: $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' truncate_after_lines: description: Number of lines before legend items are truncated. maximum: 10 minimum: 1 title: legendTruncateAfterLines type: number visibility: description: Legend visibility. enum: - auto - visible - hidden type: string required: - size title: Legend type: object x-oas-optional: true Kibana_HTTP_APIs_treemapMetricCounterRate: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_treemapMetricCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_treemapMetricCumulativeSum: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_treemapMetricDifferences: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_treemapMetricFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_treemapMetricLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_treemapMetricMovingAverage: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_treemapMetricPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_treemapMetricPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_treemapMetricStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_treemapMetricSumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_treemapMetricUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_treemapNoESQL: additionalProperties: false description: Treemap chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of breakdown dimensions (minimum 1) items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByFilters' maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' metrics: description: Array of metric configurations (minimum 1) items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricFormula' maxItems: 100 minItems: 1 type: array query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - treemap type: string required: - type - filters - data_source - query - legend - styling - metrics - time_range title: Treemap Chart (DSL) type: object Kibana_HTTP_APIs_treemapStyling: additionalProperties: false description: Visual chart styling options properties: labels: additionalProperties: false description: Labels configuration type: object properties: visible: description: Show category labels type: boolean values: $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' required: - values title: Treemap styling type: object x-oas-optional: true Kibana_HTTP_APIs_unassignedColorSchema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' description: The color to use for unassigned values. title: unassignedColorSchema x-oas-optional: true Kibana_HTTP_APIs_uniqueCountMetricOperation: additionalProperties: false properties: empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_update_output_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean title: update_output_elasticsearch type: object Kibana_HTTP_APIs_update_output_kafka: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - compression_level - connection_type - username - password title: update_output_kafka type: object Kibana_HTTP_APIs_update_output_logstash: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string title: update_output_logstash type: object Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean title: update_output_remote_elasticsearch type: object Kibana_HTTP_APIs_valueDisplay: additionalProperties: false description: Configure the visibility and the format of the values rendered on each chart partition section properties: mode: description: How to format values when visible. enum: - absolute - percentage type: string percent_decimals: description: Decimal places for percentage display (0-10) maximum: 10 minimum: 0 type: number visible: description: Show metric values on the chart type: boolean title: valueDisplay type: object x-oas-optional: true Kibana_HTTP_APIs_vis_api_direction: description: Sort direction. enum: - asc - desc title: vis_api_direction type: string Kibana_HTTP_APIs_vis_api_domain_custom: additionalProperties: false description: Uses explicitly provided domain bounds (min and max). properties: max: description: Max domain value type: number min: description: Min domain value type: number rounding: description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. title: vis_api_domain_rounding type: boolean type: enum: - custom type: string required: - type - min - max title: vis_api_domain_custom type: object Kibana_HTTP_APIs_vis_api_domain_fit: additionalProperties: false description: Uses tight domain bounds from the observed data minimum to maximum, without baseline expansion. properties: rounding: description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. title: vis_api_domain_rounding type: boolean type: enum: - fit type: string required: - type title: vis_api_domain_fit type: object Kibana_HTTP_APIs_vis_api_domain_full: additionalProperties: false description: Uses the full chart domain, including baseline expansion when applicable (for example, includes zero for bar-like series). properties: rounding: description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. title: vis_api_domain_rounding type: boolean type: enum: - full type: string required: - type title: vis_api_domain_full type: object Kibana_HTTP_APIs_vis_api_orientation: description: Orientation of the tagcloud. enum: - horizontal - vertical - angled title: vis_api_orientation type: string x-oas-optional: true Kibana_HTTP_APIs_vis_api_simple_orientation: default: horizontal description: Orientation enum: - horizontal - vertical title: vis_api_simple_orientation type: string Kibana_HTTP_APIs_vis_api_xy_axis_config: additionalProperties: false description: Axis configuration for X, Y, and Y2 axes. The Y axis is on the start (leading) side, the Y2 axis is on the end (trailing) side. properties: x: additionalProperties: false description: X-axis configuration type: object properties: domain: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' description: X-axis domain configuration grid: additionalProperties: false description: Axis grid lines configuration type: object properties: visible: description: Show grid lines for this axis type: boolean required: - visible labels: additionalProperties: false description: Label configuration type: object properties: orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' required: - orientation scale: description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. enum: - ordinal - temporal - linear type: string ticks: additionalProperties: false description: Axis tick marks configuration type: object properties: visible: description: Show tick marks on the axis type: boolean required: - visible title: additionalProperties: false description: Axis title configuration type: object properties: text: description: Axis title text. type: string visible: description: When `true`, displays the title. type: boolean 'y': additionalProperties: false description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' type: object properties: domain: description: Y-axis domain configuration discriminator: mapping: custom: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' fit: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' full: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' propertyName: type oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' grid: additionalProperties: false description: Axis grid lines configuration type: object properties: visible: description: Show grid lines for this axis type: boolean required: - visible labels: additionalProperties: false description: Label configuration type: object properties: orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' required: - orientation scale: description: Y-axis scale type for data transformation enum: - linear - log - sqrt type: string ticks: additionalProperties: false description: Axis tick marks configuration type: object properties: visible: description: Show tick marks on the axis type: boolean required: - visible title: additionalProperties: false description: Axis title configuration type: object properties: text: description: Axis title text. type: string visible: description: When `true`, displays the title. type: boolean required: - domain y2: additionalProperties: false description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' type: object properties: domain: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' description: Y-axis domain configuration grid: additionalProperties: false description: Axis grid lines configuration type: object properties: visible: description: Show grid lines for this axis type: boolean required: - visible labels: additionalProperties: false description: Label configuration type: object properties: orientation: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' required: - orientation scale: description: Y-axis scale type for data transformation enum: - linear - log - sqrt type: string ticks: additionalProperties: false description: Axis tick marks configuration type: object properties: visible: description: Show tick marks on the axis type: boolean required: - visible title: additionalProperties: false description: Axis title configuration type: object properties: text: description: Axis title text. type: string visible: description: When `true`, displays the title. type: boolean required: - domain title: Axis type: object x-oas-optional: true Kibana_HTTP_APIs_waffleESQL: additionalProperties: false description: Waffle chart configuration for ES|QL queries properties: data_source: $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of ES|QL breakdown columns (minimum 1) items: additionalProperties: false type: object properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format - color - collapse_by maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' metrics: description: Array of metric configurations (minimum 1) items: additionalProperties: false type: object properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' column: description: Column to use type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string required: - column - format maxItems: 100 minItems: 1 type: array references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - waffle type: string required: - type - filters - data_source - legend - styling - metrics - time_range title: Waffle Chart (ES|QL) type: object Kibana_HTTP_APIs_waffleGroupByDateHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - color - collapse_by title: Date Histogram Operation type: object Kibana_HTTP_APIs_waffleGroupByFilters: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - color - collapse_by title: Filters Operation type: object Kibana_HTTP_APIs_waffleGroupByHistogram: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - color - collapse_by title: Histogram Operation type: object Kibana_HTTP_APIs_waffleGroupByRanges: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - color - collapse_by title: Ranges Operation type: object Kibana_HTTP_APIs_waffleGroupByTerms: additionalProperties: false properties: collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - color - collapse_by title: Terms Operation type: object Kibana_HTTP_APIs_waffleLegend: additionalProperties: false description: Legend configuration for waffle chart properties: size: $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' truncate_after_lines: description: Number of lines before legend items are truncated. maximum: 10 minimum: 1 title: legendTruncateAfterLines type: number values: items: description: 'Legend value display mode: absolute (show raw metric values in legend)' enum: - absolute type: string maxItems: 1 minItems: 1 type: array visibility: description: Legend visibility. enum: - auto - visible - hidden type: string required: - size title: Legend type: object x-oas-optional: true Kibana_HTTP_APIs_waffleMetricCounterRate: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - counter_rate type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Counter Rate Operation type: object Kibana_HTTP_APIs_waffleMetricCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation title: Count Metric Operation type: object Kibana_HTTP_APIs_waffleMetricCumulativeSum: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - cumulative_sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Cumulative Sum Operation type: object Kibana_HTTP_APIs_waffleMetricDifferences: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - differences type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - operation - of title: Differences Operation type: object Kibana_HTTP_APIs_waffleMetricFormula: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' formula: description: Formula type: string label: description: Label for the operation type: string operation: enum: - formula type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: description: Time scale enum: - s - m - h - d type: string required: - format - operation - formula - filter title: Formula Operation type: object Kibana_HTTP_APIs_waffleMetricLastValue: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string multi_value: default: false description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean operation: enum: - last_value type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_field: description: Time field used to determine document recency type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation - time_field title: Last Value Operation type: object Kibana_HTTP_APIs_waffleMetricMovingAverage: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string of: $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' operation: enum: - moving_average type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string window: default: 5 description: Window type: number required: - format - filter - time_scale - operation - of title: Moving Average Operation type: object Kibana_HTTP_APIs_waffleMetricPercentile: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile type: string percentile: default: 95 description: Percentile type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Operation type: object Kibana_HTTP_APIs_waffleMetricPercentileRanks: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - percentile_rank type: string rank: default: 0 description: Percentile Rank type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Percentile Ranks Operation type: object Kibana_HTTP_APIs_waffleMetricStatsMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - min - max - average - median - standard_deviation type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Stats Metric Operation type: object Kibana_HTTP_APIs_waffleMetricSumMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - sum type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Sum Metric Operation type: object Kibana_HTTP_APIs_waffleMetricUniqueCountMetric: additionalProperties: false properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' empty_as_null: default: false description: When `true`, treats empty buckets as null instead of zero. type: boolean field: description: Field to be used for the metric type: string filter: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - unique_count type: string reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting type: string time_scale: $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' time_shift: description: Time shift title: Operation Time Shift Setting type: string required: - format - filter - time_scale - field - operation title: Unique Count Metric Operation type: object Kibana_HTTP_APIs_waffleNoESQL: additionalProperties: false description: Waffle chart configuration for standard queries properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' group_by: description: Array of breakdown dimensions (minimum 1) items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByDateHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByTerms' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByHistogram' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByRanges' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByFilters' maxItems: 100 minItems: 1 type: array hide_border: type: boolean hide_title: type: boolean ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' metrics: description: Array of metric configurations (minimum 1) items: anyOf: - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricUniqueCountMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricStatsMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricSumMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricLastValue' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentile' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentileRanks' - anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricDifferences' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricMovingAverage' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCumulativeSum' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCounterRate' - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricFormula' maxItems: 100 minItems: 1 type: array query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array sampling: default: 1 description: Sampling factor between 0 (no sampling) and 1 (full sampling). maximum: 1 minimum: 0 type: number styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - waffle type: string required: - type - filters - data_source - query - legend - styling - metrics - time_range title: Waffle Chart (DSL) type: object Kibana_HTTP_APIs_waffleStyling: additionalProperties: false description: Visual chart styling options properties: values: $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' required: - values title: Waffle styling type: object x-oas-optional: true Kibana_HTTP_APIs_WiredStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string ingest: additionalProperties: false type: object properties: failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value wired: additionalProperties: false type: object properties: fields: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' routing: items: type: object properties: destination: description: A non-empty string. minLength: 1 type: string status: enum: - enabled - disabled type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - destination - where type: array required: - fields - routing required: - lifecycle - processing - settings - failure_store - wired query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - wired type: string required: - description - ingest - type required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. properties: includeInterim: default: true type: boolean jobSelection: additionalProperties: false type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array kqlQueryString: nullable: true type: string lookbackInterval: nullable: true type: string resultType: enum: - record - bucket - influencer type: string severity: maximum: 100 minimum: 0 type: number topNBuckets: minimum: 1 nullable: true type: number required: - jobSelection - severity - resultType - lookbackInterval - topNBuckets - kqlQueryString title: Anomaly Detection Rule Params type: object rule_type_id: enum: - xpack.ml.anomaly_detection_alert type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Anomaly detection type: object Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. properties: excludeJobs: additionalProperties: false nullable: true type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array includeJobs: additionalProperties: false type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array testsConfig: additionalProperties: false nullable: true type: object properties: behindRealtime: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean timeInterval: nullable: true type: string required: - timeInterval datafeed: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean delayedData: additionalProperties: false nullable: true type: object properties: docsCount: minimum: 1 nullable: true type: number enabled: default: true type: boolean timeInterval: nullable: true type: string required: - docsCount - timeInterval errorMessages: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean mml: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean required: - datafeed - mml - delayedData - behindRealtime - errorMessages required: - includeJobs - excludeJobs - testsConfig title: Anomaly Detection Jobs Health Rule Params type: object rule_type_id: enum: - xpack.ml.anomaly_detection_jobs_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Anomaly detection jobs health type: object Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. properties: condition: additionalProperties: false type: object properties: alertOnNoData: type: boolean downThreshold: type: number groupBy: type: string includeRetests: type: boolean locationsThreshold: type: number recoveryStrategy: enum: - firstUp - conditionNotMet type: string window: anyOf: - additionalProperties: false type: object properties: time: additionalProperties: false type: object properties: size: default: 5 type: number unit: default: m enum: - s - m - h - d type: string required: - time - additionalProperties: false type: object properties: numberOfChecks: default: 5 maximum: 100 minimum: 1 type: number required: - window kqlQuery: type: string locations: items: type: string type: array monitorIds: items: type: string type: array monitorTypes: items: type: string type: array projects: items: type: string type: array tags: items: type: string type: array title: Synthetics Monitor Status Rule Params type: object rule_type_id: enum: - xpack.synthetics.alerts.monitorStatus type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Synthetics monitor status type: object Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. properties: certAgeThreshold: type: number certExpirationThreshold: type: number kqlQuery: type: string locations: items: type: string type: array monitorIds: items: type: string type: array monitorTypes: items: type: string type: array projects: items: type: string type: array search: type: string tags: items: type: string type: array title: Synthetics TLS Rule Params type: object rule_type_id: enum: - xpack.synthetics.alerts.tls type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Synthetics TLS type: object Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. properties: monitorId: type: string severity: type: number stackVersion: type: string required: - monitorId - severity title: Uptime Duration Anomaly Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.durationAnomaly type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime duration anomaly type: object Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. properties: availability: additionalProperties: false type: object properties: range: type: number rangeUnit: type: string threshold: type: string required: - range - rangeUnit - threshold filters: anyOf: - additionalProperties: false type: object properties: monitor.type: items: type: string type: array observer.geo.name: items: type: string type: array tags: items: type: string type: array url.port: items: type: string type: array - type: string isAutoGenerated: type: boolean locations: items: type: string type: array numTimes: type: number search: type: string shouldCheckAvailability: type: boolean shouldCheckStatus: type: boolean stackVersion: type: string timerange: additionalProperties: false type: object properties: from: type: string to: type: string required: - from - to timerangeCount: type: number timerangeUnit: type: string version: type: number required: - numTimes - shouldCheckStatus - shouldCheckAvailability title: Uptime Monitor Status Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.monitorStatus type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime monitor status type: object Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. properties: certAgeThreshold: type: number certExpirationThreshold: type: number search: type: string stackVersion: type: string title: Uptime TLS Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.tlsCertificate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime TLS certificate type: object Kibana_HTTP_APIs_xyAnnotationByRefLayer: additionalProperties: false description: Reference to a library annotation group properties: group_id: description: ID of the linked annotation group from the library type: string type: enum: - annotation_group type: string required: - type - group_id title: Annotation Layer (By Reference) type: object Kibana_HTTP_APIs_xyAnnotationLayerNoESQL: additionalProperties: false description: Layer containing annotations (query-based, points, and ranges) properties: data_source: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' events: description: Array of annotation configurations items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationQuery' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualEvent' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualRange' maxItems: 100 minItems: 1 type: array ignore_global_filters: default: false description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean type: enum: - annotations type: string required: - type - data_source - events title: Annotation Layer (DSL) type: object Kibana_HTTP_APIs_xyAnnotationManualEvent: additionalProperties: false description: Manual point annotation at specific timestamp properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' icon: description: Icon to display at the annotation point enum: - asterisk - alert - bell - bolt - bug - circle - editor_comment - flag - heart - map_marker - pin_filled - star_empty - star_filled - tag - triangle type: string label: description: Label text for the annotation type: string line: additionalProperties: false description: Vertical line configuration for point annotation type: object properties: stroke_dash: description: Vertical line style enum: - solid - dashed - dotted type: string stroke_width: description: Vertical line width in pixels maximum: 10 minimum: 1 type: number required: - stroke_width - stroke_dash text: additionalProperties: false description: Annotation text label visibility type: object properties: visible: description: Show text label on the annotation type: boolean required: - visible timestamp: anyOf: - description: Unix timestamp in milliseconds type: number - description: ISO date string type: string type: enum: - point type: string visible: description: Show the annotation type: boolean required: - type - timestamp title: xyAnnotationManualEvent type: object Kibana_HTTP_APIs_xyAnnotationManualRange: additionalProperties: false description: Manual range annotation spanning time interval properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' fill: description: Fill direction for range enum: - inside - outside type: string interval: additionalProperties: false description: Time range for annotation type: object properties: from: anyOf: - description: Unix timestamp in milliseconds type: number - description: ISO date string type: string to: anyOf: - description: Unix timestamp in milliseconds type: number - description: ISO date string type: string required: - from - to label: description: Label text for the annotation type: string type: enum: - range type: string visible: description: Show the annotation type: boolean required: - type - interval title: xyAnnotationManualRange type: object Kibana_HTTP_APIs_xyAnnotationQuery: additionalProperties: false description: Annotation from query results matching a filter properties: color: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' extra_fields: description: Additional fields for annotation tooltip items: description: Additional field to include in tooltip type: string maxItems: 100 type: array icon: description: Icon to display at the annotation point enum: - asterisk - alert - bell - bolt - bug - circle - editor_comment - flag - heart - map_marker - pin_filled - star_empty - star_filled - tag - triangle type: string label: description: Label text for the annotation type: string line: additionalProperties: false description: Vertical line configuration for point annotation type: object properties: stroke_dash: description: Vertical line style enum: - solid - dashed - dotted type: string stroke_width: description: Vertical line width in pixels maximum: 10 minimum: 1 type: number required: - stroke_width - stroke_dash query: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' text: additionalProperties: false description: Annotation text label configuration type: object properties: field: description: Field name for text label source type: string visible: description: Show text label on the annotation type: boolean required: - visible time_field: description: Field containing the timestamp type: string type: enum: - query type: string visible: description: Show the annotation type: boolean required: - type - query - time_field title: xyAnnotationQuery type: object Kibana_HTTP_APIs_xyBreakdownDateHistogram: additionalProperties: false properties: aggregate_first: description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' drop_partial_intervals: description: When `true`, drops partial intervals from the results. type: boolean field: description: Field to be used for the date histogram. type: string include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - date_histogram type: string suggested_interval: default: auto description: Suggested time interval. type: string use_original_time_range: default: false description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - operation - field - collapse_by - color title: Date Histogram Operation type: object Kibana_HTTP_APIs_xyBreakdownFilters: additionalProperties: false properties: aggregate_first: description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' filters: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array label: description: Label for the operation type: string operation: enum: - filters type: string required: - operation - filters - collapse_by - color title: Filters Operation type: object Kibana_HTTP_APIs_xyBreakdownHistogram: additionalProperties: false properties: aggregate_first: description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the histogram. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' granularity: anyOf: - description: Granularity of the histogram. maximum: 7 minimum: 1 type: number - enum: - auto type: string default: auto include_empty_rows: default: true description: When `true`, includes empty rows in the results. type: boolean label: description: Label for the operation type: string operation: enum: - histogram type: string required: - operation - format - field - collapse_by - color title: Histogram Operation type: object Kibana_HTTP_APIs_xyBreakdownRanges: additionalProperties: false properties: aggregate_first: description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' field: description: Field to be used for the range. type: string format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: description: Label for the operation type: string operation: enum: - range type: string ranges: items: additionalProperties: false type: object properties: gt: description: Greater than. type: number label: description: Label. type: string lte: description: Less than or equal to. type: number maxItems: 100 type: array required: - operation - format - field - ranges - collapse_by - color title: Ranges Operation type: object Kibana_HTTP_APIs_xyBreakdownTerms: additionalProperties: false properties: aggregate_first: description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean collapse_by: $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' color: $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' excludes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to exclude. type: string maxItems: 100 type: array required: - values fields: items: description: Fields to be used for the terms. type: string maxItems: 4 minItems: 1 type: array format: $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' includes: additionalProperties: false type: object properties: as_regex: description: When `true`, treats the values as regular expressions. type: boolean values: items: description: Values to include. type: string maxItems: 100 type: array required: - values increase_accuracy: description: When `true`, increases accuracy at the cost of performance. type: boolean label: description: Label for the operation type: string limit: default: 5 description: Number of terms to return. type: number operation: enum: - terms type: string other_bucket: additionalProperties: false type: object properties: include_documents_without_field: description: When `true`, includes documents that do not have the specified field. type: boolean required: - include_documents_without_field rank_by: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - operation - format - fields - collapse_by - color title: Terms Operation type: object Kibana_HTTP_APIs_xyChartESQL: additionalProperties: false description: XY chart configuration for ES|QL queries properties: axis: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening dashboard. type: boolean use_time_range: default: true description: When enabled, time range is passed to the opening dashboard. type: boolean required: - dashboard_id - label - trigger - type title: dashboard_drilldown type: object - additionalProperties: false properties: label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_apply_filter type: string type: enum: - discover_drilldown type: string required: - label - trigger - type title: discover_drilldown type: object - additionalProperties: false properties: encode_url: default: true description: When true, URL is escaped using percent encoding type: boolean label: type: string open_in_new_tab: default: true type: boolean trigger: enum: - on_click_row - on_click_value - on_open_panel_menu - on_select_range type: string type: enum: - url_drilldown type: string url: description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - url - label - trigger - type title: url_drilldown type: object maxItems: 100 type: array filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' hide_border: type: boolean hide_title: type: boolean layers: description: ES|QL chart layers items: $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' maxItems: 100 minItems: 1 type: array legend: $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' references: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array styling: $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' time_range: $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: enum: - xy type: string required: - type - filters - legend - axis - styling - layers - time_range title: XY Chart (ES|QL) type: object Kibana_HTTP_APIs_xyChartNoESQL: additionalProperties: false description: XY chart configuration for DSL queries properties: axis: $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: type: string drilldowns: items: anyOf: - additionalProperties: false properties: dashboard_id: type: string label: type: string open_in_new_tab: default: false description: When enabled, the dashboard opens in a new browser tab. type: boolean trigger: enum: - on_apply_filter type: string type: enum: - dashboard_drilldown type: string use_filters: default: true description: When enabled, filters are passed to the opening